Login Sign Up

CVE-2023-34868

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-34868 is an assertion failure vulnerability in Jerryscript's parser that can cause denial of service through application crashes. It affects systems running Jerryscript 3.0 with the vulnerable commit. Attackers can trigger this by providing malicious JavaScript input to applications using Jerryscript.

💻 Affected Systems

Products:
  • Jerryscript
Versions: Version 3.0 (specifically commit 05dbbd1)
Operating Systems: All platforms running Jerryscript
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the vulnerable commit. Applications embedding Jerryscript for JavaScript processing are at risk.

📦 What is this software?

Jerryscript by Jerryscript

View all CVEs affecting Jerryscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through application crash, potentially leading to service disruption and availability issues.

🟠

Likely Case

Application crash when processing specially crafted JavaScript input, causing temporary service interruption.

🟢

If Mitigated

Minimal impact if input validation and sandboxing prevent malicious JavaScript from reaching the parser.

🌐 Internet-Facing: MEDIUM - Exploitable if applications accept untrusted JavaScript input from external sources.
🏢 Internal Only: LOW - Requires ability to submit JavaScript to affected applications, typically limited to authorized users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to submit JavaScript to applications using Jerryscript. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 05dbbd1 with the fix applied

Vendor Advisory: https://github.com/jerryscript-project/jerryscript/issues/5083

Restart Required: Yes

Instructions:

1. Update Jerryscript to a version with the fix. 2. Rebuild applications using Jerryscript. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to filter potentially malicious JavaScript before it reaches the parser.

Sandbox Execution

all

Run Jerryscript in isolated containers or sandboxes to limit impact of crashes.

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems running vulnerable Jerryscript versions.
  • Deploy monitoring and alerting for application crashes related to JavaScript processing.

🔍 How to Verify

Check if Vulnerable:

Check Jerryscript version and commit hash. If using commit 05dbbd1 or affected versions, system is vulnerable.

Check Version:

Check build configuration or source code for Jerryscript version and commit information.

Verify Fix Applied:

Verify Jerryscript has been updated to a version without the vulnerable commit and test with known safe JavaScript inputs.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during JavaScript parsing
  • Assertion failure logs mentioning parser_parse_for_statement_start

Network Indicators:

  • Unusual JavaScript payloads being submitted to applications

SIEM Query:

Search for application crash events containing 'jerryscript' or 'parser_parse_for_statement_start' in error messages.

📊 Metadata

CVE ID: CVE-2023-34868
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: June 14, 2023
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34868, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)