CVE-2021-29324 – CVE-2021-29324 is a stack overflow vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-29324?

CVE-2021-29324 has a CVSS score of 7.8 (HIGH). CVE-2021-29324 is a stack overflow vulnerability in Moddable v10.5.0's xsScript.c component that allows attackers to execute arbitrary code or cause denial of service. This affects any application or device using the vulnerable Moddable JavaScript engine, particularly IoT devices and embedded systems.

📋 TL;DR

CVE-2021-29324 is a stack overflow vulnerability in Moddable v10.5.0's xsScript.c component that allows attackers to execute arbitrary code or cause denial of service. This affects any application or device using the vulnerable Moddable JavaScript engine, particularly IoT devices and embedded systems.

💻 Affected Systems

Products:

Moddable SDK

Versions: v10.5.0 specifically

Operating Systems: All platforms running Moddable (Linux, macOS, Windows, embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the vulnerable xsScript.c component for script execution

📦 What is this software?

Moddable by Moddable

View all CVEs affecting Moddable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or device takeover

🟠

Likely Case

Application crash causing denial of service, potentially disrupting device functionality

🟢

If Mitigated

Contained crash with minimal impact if proper sandboxing and memory protections are enabled

🌐 Internet-Facing: MEDIUM - Requires specific script execution conditions but could be exploited remotely

🏢 Internal Only: MEDIUM - Similar risk profile whether internet-facing or internal

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available in GitHub issue #586; exploitation requires triggering the vulnerable script parsing function

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.5.1 and later

Vendor Advisory: https://github.com/Moddable-OpenSource/moddable/issues/586

Restart Required: Yes

Instructions:

1. Update Moddable SDK to v10.5.1 or later. 2. Recompile all applications using the updated SDK. 3. Redeploy/reinstall patched applications. 4. Restart affected devices/services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all script inputs to prevent triggering the overflow

Memory protection hardening

linux

Enable stack canaries and ASLR if supported by the platform

gcc -fstack-protector-all -pie -fPIE

🧯 If You Can't Patch

Network segmentation to isolate vulnerable devices from untrusted networks
Implement strict input validation and sanitization for all script execution

🔍 How to Verify

Check if Vulnerable:

Check Moddable SDK version: if exactly v10.5.0, you are vulnerable

Check Version:

Check package.json or build configuration for Moddable version

Verify Fix Applied:

Verify Moddable SDK version is v10.5.1 or later and recompile applications

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Unexpected process termination
Memory access violation errors

Network Indicators:

Unusual script execution patterns
Large script payloads to vulnerable endpoints

SIEM Query:

process.name:"moddable" AND (event.type:"crash" OR event.type:"segfault")

📊 Metadata

CVE ID: CVE-2021-29324

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-770

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Moddable-OpenSource/moddable/issues/586 Exploit,Issue Tracking,Third Party Advisory
https://github.com/Moddable-OpenSource/moddable/issues/586 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29324, you might also want to check these: