Login Sign Up

CVE-2022-22893

7.8 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2022-22893 is a stack overflow vulnerability in Jerryscript 3.0.0's VM component that allows attackers to execute arbitrary code or cause denial of service. This affects any application or device using the vulnerable Jerryscript JavaScript engine version. The vulnerability is triggered through specially crafted JavaScript input.

💻 Affected Systems

Products:
  • Jerryscript JavaScript engine
Versions: Version 3.0.0 specifically
Operating Systems: All platforms running Jerryscript
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or device embedding Jerryscript 3.0.0 is vulnerable when processing JavaScript input.

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash causing denial of service, potentially disrupting dependent services or devices.

🟢

If Mitigated

Limited impact with proper input validation and memory protection mechanisms in place.

🌐 Internet-Facing: HIGH - If Jerryscript processes untrusted JavaScript from external sources, exploitation is straightforward.
🏢 Internal Only: MEDIUM - Still significant risk from malicious internal users or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub issue includes technical details that could facilitate exploitation. Stack overflow vulnerabilities in scripting engines are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.0.0 (check latest release)

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/issues/4901

Restart Required: Yes

Instructions:

1. Check current Jerryscript version. 2. Update to latest Jerryscript release. 3. Rebuild and redeploy any applications using Jerryscript. 4. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation and sanitization for JavaScript processed by Jerryscript

Memory Protection

linux

Enable stack protection mechanisms like ASLR and stack canaries if available

echo 2 > /proc/sys/kernel/randomize_va_space

🧯 If You Can't Patch

  • Isolate Jerryscript instances in containers or sandboxes with minimal privileges
  • Implement network segmentation to limit access to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if Jerryscript version is exactly 3.0.0 in your application dependencies or embedded code

Check Version:

Check build configuration or dependency files for 'jerryscript 3.0.0'

Verify Fix Applied:

Verify Jerryscript version is updated beyond 3.0.0 and test with known malicious JavaScript samples

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Unusual memory usage patterns
  • Stack overflow error messages

Network Indicators:

  • Unusual JavaScript payloads being sent to applications using Jerryscript

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "stack overflow") AND process="*jerry*"

📊 Metadata

CVE ID: CVE-2022-22893
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22893, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)