CVE-2024-43367 – boa_engine

Package

Manager: cargo
Name: boa_engine
Vulnerable Version: >=0.16 <0.19.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00094 pctl0.27262

Details

Boa has an uncaught exception when transitioning the state of `AsyncGenerator` objects A wrong assumption made when handling ECMAScript's `AsyncGenerator` operations can cause an uncaught exception on certain scripts. ## Details Boa's implementation of `AsyncGenerator` makes the assumption that the state of an `AsyncGenerator` object cannot change while resolving a promise created by methods of `AsyncGenerator` such as `%AsyncGeneratorPrototype%.next`, `%AsyncGeneratorPrototype%.return`, or `%AsyncGeneratorPrototype%.throw`. However, a carefully constructed code could trigger a state transition from a getter method for the promise's `then` property, which causes the engine to fail an assertion of this assumption, causing an uncaught exception. This could be used to create a Denial Of Service attack in applications that run arbitrary ECMAScript code provided by an external user. ## Patches Version 0.19.0 is patched to correctly handle this case. ## Workarounds Users unable to upgrade to the patched version would want to use [`std::panic::catch_unwind`](https://doc.rust-lang.org/std/panic/fn.catch_unwind.html) to ensure any exceptions caused by the engine don't impact the availability of the main application. ## References - https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7 - https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r

Metadata

Created: 2024-08-14T20:49:51Z
Modified: 2024-08-15T21:37:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-f67q-wr6w-23jq/GHSA-f67q-wr6w-23jq.json
CWE IDs: ["CWE-248"]
Alternative ID: GHSA-f67q-wr6w-23jq
Finding: F140
Auto approve: 1