Login Sign Up

CVE-2020-23321

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This is a critical heap buffer overflow vulnerability in JerryScript's UTF-8 string parsing code. Attackers can exploit this to execute arbitrary code or crash applications using the vulnerable JavaScript engine. This affects any system running JerryScript 2.2.0 or applications embedding this engine.

💻 Affected Systems

Products:
  • JerryScript JavaScript engine
  • IoT devices using JerryScript
  • Embedded systems with JerryScript
Versions: JerryScript 2.2.0
Operating Systems: All platforms running JerryScript
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or device using JerryScript 2.2.0 to parse UTF-8 strings is vulnerable by default.

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) with potential for memory corruption leading to information disclosure.

🟢

If Mitigated

Contained crash within sandboxed environment with minimal impact beyond service disruption.

🌐 Internet-Facing: HIGH - JerryScript is often used in IoT devices and embedded systems directly exposed to untrusted input.
🏢 Internal Only: MEDIUM - Lower risk if JerryScript only processes trusted internal data, but still dangerous if exploited via lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub issue contains proof-of-concept code demonstrating the buffer overflow. Heap overflows are commonly weaponized for RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: JerryScript 2.3.0 and later

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/issues/3870

Restart Required: Yes

Instructions:

1. Upgrade JerryScript to version 2.3.0 or later. 2. Recompile any applications using JerryScript. 3. Restart affected services or devices.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of UTF-8 strings before passing to JerryScript

Memory Protection

linux

Enable ASLR and DEP/PaX to make exploitation more difficult

echo 2 > /proc/sys/kernel/randomize_va_space
sysctl -w kernel.exec-shield=1

🧯 If You Can't Patch

  • Network segmentation to isolate JerryScript systems from untrusted networks
  • Implement strict input filtering and length limits on UTF-8 strings

🔍 How to Verify

Check if Vulnerable:

Check if JerryScript version is 2.2.0: jerry --version or examine linked libraries

Check Version:

jerry --version 2>&1 | head -1

Verify Fix Applied:

Verify JerryScript version is 2.3.0 or later and test with known malicious UTF-8 sequences

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault crashes in JerryScript processes
  • Memory corruption warnings in system logs
  • Abnormal process termination

Network Indicators:

  • Unusual UTF-8 payloads to JerryScript endpoints
  • Exploit kit traffic patterns

SIEM Query:

process_name:"jerry" AND (event_type:"crash" OR memory_violation:"heap")

📊 Metadata

CVE ID: CVE-2020-23321
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23321, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)