CVE-2021-29328 – CVE-2021-29328 is a buffer over-read vulnerabil... (How to Fix)

Q: What is the severity of CVE-2021-29328?

CVE-2021-29328 has a CVSS score of 7.1 (HIGH). CVE-2021-29328 is a buffer over-read vulnerability in Moddable's fxDebugThrow function that could allow attackers to read sensitive memory contents. This affects applications using Moddable v10.5.0 for embedded JavaScript development. The vulnerability could lead to information disclosure or potentially enable further exploitation.

📋 TL;DR

CVE-2021-29328 is a buffer over-read vulnerability in Moddable's fxDebugThrow function that could allow attackers to read sensitive memory contents. This affects applications using Moddable v10.5.0 for embedded JavaScript development. The vulnerability could lead to information disclosure or potentially enable further exploitation.

💻 Affected Systems

Products:

Moddable SDK

Versions: v10.5.0

Operating Systems: All platforms where Moddable runs (embedded systems, IoT devices, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the debug functionality; production builds with debug disabled may be less exposed

📦 What is this software?

Moddable by Moddable

View all CVEs affecting Moddable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory disclosure leading to sensitive data exposure, potential information leak that could facilitate ASLR bypass or enable further exploitation chains

🟠

Likely Case

Application crash or denial of service due to invalid memory access, potential information disclosure from adjacent memory

🟢

If Mitigated

Minimal impact if debug functionality is disabled or proper memory protections are in place

🌐 Internet-Facing: MEDIUM - Exploitation requires triggering the vulnerable debug function, which may be accessible through crafted inputs

🏢 Internal Only: LOW - Typically requires local access or specific conditions to trigger the vulnerable code path

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the specific debug function with crafted input; no public exploits have been documented

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.5.1 and later

Vendor Advisory: https://github.com/Moddable-OpenSource/moddable/issues/585

Restart Required: Yes

Instructions:

1. Update Moddable SDK to version 10.5.1 or later. 2. Rebuild and redeploy any applications using the vulnerable version. 3. Verify debug functionality is properly secured in production environments.

🔧 Temporary Workarounds

Disable Debug Functionality

all

Disable or restrict access to debug features in production environments

Build with debug features disabled: xsbug = false in project configuration

🧯 If You Can't Patch

Implement input validation and sanitization for all debug-related functionality
Apply memory protection mechanisms and sandboxing where available

🔍 How to Verify

Check if Vulnerable:

Check Moddable SDK version: if using v10.5.0, you are vulnerable

Check Version:

Check package.json or build configuration for Moddable version

Verify Fix Applied:

Verify Moddable SDK version is 10.5.1 or later and rebuild applications

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected debug function calls

Network Indicators:

Unusual debug protocol traffic patterns

SIEM Query:

Process crashes with memory access violation errors in Moddable applications

📊 Metadata

CVE ID: CVE-2021-29328

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Moddable-OpenSource/moddable/issues/585 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/Moddable-OpenSource/moddable/issues/585 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29328, you might also want to check these: