CVE-2021-33797 – This vulnerability is a buffer overflow in Arti... (How to Fix)

Q: What is the severity of CVE-2021-33797?

CVE-2021-33797 has a CVSS score of 9.8 (CRITICAL). This vulnerability is a buffer overflow in Artifex MuJS's floating-point parsing code that allows attackers to execute arbitrary code or crash applications. It affects any system running MuJS versions 1.0.1 through 1.1.1 that processes untrusted JavaScript input. The high CVSS score reflects the potential for remote code execution.

📋 TL;DR

This vulnerability is a buffer overflow in Artifex MuJS's floating-point parsing code that allows attackers to execute arbitrary code or crash applications. It affects any system running MuJS versions 1.0.1 through 1.1.1 that processes untrusted JavaScript input. The high CVSS score reflects the potential for remote code execution.

💻 Affected Systems

Products:

Artifex MuJS

Versions: 1.0.1 to 1.1.1

Operating Systems: All platforms where MuJS runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing JavaScript with malicious floating-point numbers.

📦 What is this software?

Mujs by Artifex

View all CVEs affecting Mujs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the MuJS context.

🟢

If Mitigated

No impact if input validation or sandboxing prevents malicious JavaScript execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific floating-point input but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.2 or later

Vendor Advisory: https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550

Restart Required: Yes

Instructions:

1. Download MuJS 1.1.2 or later from GitHub. 2. Replace vulnerable version. 3. Recompile if using source. 4. Restart affected applications.

🔧 Temporary Workarounds

Input Validation

all

Sanitize JavaScript input to reject suspicious floating-point notation.

Sandbox Execution

all

Run MuJS in a restricted environment with limited permissions.

🧯 If You Can't Patch

Disable JavaScript processing in affected applications if possible.
Implement network segmentation to isolate vulnerable systems.

🔍 How to Verify

Check if Vulnerable:

Check MuJS version with 'mujs --version' or examine application dependencies.

Check Version:

mujs --version

Verify Fix Applied:

Confirm version is 1.1.2 or later and test with known safe floating-point inputs.

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors

Network Indicators:

Unusual JavaScript payloads with long floating-point exponents

SIEM Query:

source="application.log" AND "segmentation fault" AND process="mujs"

📊 Metadata

CVE ID: CVE-2021-33797

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: April 17, 2023

Last Updated: February 6, 2025

🔗 References

https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 Patch
https://github.com/ccxvii/mujs/issues/148 Issue Tracking,Third Party Advisory
https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 Patch
https://github.com/ccxvii/mujs/issues/148 Issue Tracking,Third Party Advisory
https://github.com/ccxvii/mujs/issues/148 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33797, you might also want to check these: