Login Sign Up

CVE-2021-46524

7.8 HIGH
Denial of Service

📋 TL;DR

CVE-2021-46524 is a heap buffer overflow vulnerability in Cesanta MJS v2.20.0 that allows attackers to execute arbitrary code or cause denial of service. This affects any application or device using the vulnerable MJS JavaScript engine for embedded systems. Attackers can exploit this by providing specially crafted JSON input to trigger the overflow in the snquote function.

💻 Affected Systems

Products:
  • Cesanta MJS JavaScript engine
Versions: Version 2.20.0 specifically
Operating Systems: All platforms running MJS (Linux, Windows, embedded systems)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using MJS for JSON parsing is vulnerable when processing untrusted input

📦 What is this software?

Mjs by Cesanta

View all CVEs affecting Mjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation

🟠

Likely Case

Denial of service causing application crashes or instability, potentially leading to service disruption

🟢

If Mitigated

Contained application crash without privilege escalation if proper sandboxing and memory protections are enabled

🌐 Internet-Facing: HIGH - Exploitable via network input to JSON parsing functions without authentication
🏢 Internal Only: MEDIUM - Requires attacker access to internal systems or malicious input injection

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof of concept available in GitHub issue #192; exploitation requires crafting specific JSON payloads

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.20.1 or later

Vendor Advisory: https://github.com/cesanta/mjs/issues/192

Restart Required: Yes

Instructions:

1. Update MJS to version 2.20.1 or later. 2. Recompile any applications using MJS. 3. Restart affected services. 4. Verify the fix by testing with known exploit payloads.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for JSON data before passing to MJS parsing functions

Disable JSON parsing if unused

all

Remove or disable MJS JSON parsing functionality if not required for application

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems using vulnerable MJS versions
  • Deploy application firewalls to filter and inspect JSON payloads before reaching vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check MJS version in application dependencies or run 'strings' on binary to find MJS version strings

Check Version:

Check build configuration or dependency files for 'mjs' version 2.20.0

Verify Fix Applied:

Test with known exploit payloads from GitHub issue #192; successful parsing without crash indicates fix

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Memory corruption errors in system logs
  • Unexpected process termination

Network Indicators:

  • Unusual JSON payloads with crafted escape sequences
  • Repeated connection attempts to JSON endpoints

SIEM Query:

source="application.log" AND ("segmentation fault" OR "heap corruption" OR "buffer overflow") AND process="*mjs*"

📊 Metadata

CVE ID: CVE-2021-46524
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46524, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)