CVE-2023-48183 – This vulnerability in QuickJS (a JavaScript eng... (How to Fix)

Q: What is the severity of CVE-2023-48183?

CVE-2023-48183 has a CVSS score of 7.5 (HIGH). This vulnerability in QuickJS (a JavaScript engine) allows a NULL pointer dereference when using 'eval' with 'for-in' loops due to incorrect lexical scoping of 'this'. Attackers could potentially crash applications or execute arbitrary code by exploiting this memory corruption. Anyone using QuickJS versions before the fix is affected.

📋 TL;DR

This vulnerability in QuickJS (a JavaScript engine) allows a NULL pointer dereference when using 'eval' with 'for-in' loops due to incorrect lexical scoping of 'this'. Attackers could potentially crash applications or execute arbitrary code by exploiting this memory corruption. Anyone using QuickJS versions before the fix is affected.

💻 Affected Systems

Products:

QuickJS JavaScript Engine

Versions: All versions before commit c4cdd61a3ed284cd760faf6b00bbf0cb908da077

Operating Systems: All platforms where QuickJS runs (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds using the vulnerable code path with eval and for-in loops.

📦 What is this software?

Quickjs by Quickjs Project

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if QuickJS is used in a security-sensitive context like server-side JavaScript execution.

🟠

Likely Case

Application crash (denial of service) when processing malicious JavaScript input.

🟢

If Mitigated

No impact if QuickJS is sandboxed properly or not exposed to untrusted input.

🌐 Internet-Facing: MEDIUM - Risk depends on how QuickJS is deployed; if used in web servers or APIs processing user JavaScript, risk is significant.

🏢 Internal Only: LOW - Lower risk if QuickJS is only used internally with trusted code.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific JavaScript that triggers the NULL pointer dereference through eval in for-in loops.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit c4cdd61a3ed284cd760faf6b00bbf0cb908da077 or later

Vendor Advisory: https://github.com/bellard/quickjs/commit/c4cdd61a3ed284cd760faf6b00bbf0cb908da077

Restart Required: Yes

Instructions:

1. Update QuickJS to commit c4cdd61a3ed284cd760faf6b00bbf0cb908da077 or later. 2. Rebuild QuickJS from source. 3. Restart any applications using QuickJS.

🔧 Temporary Workarounds

Disable eval usage

all

Prevent use of eval() in QuickJS if possible to avoid the vulnerable code path.

Configure application to not use eval or sanitize JavaScript input

Input validation

all

Sanitize or block JavaScript containing 'eval' with 'for-in' loops from untrusted sources.

Implement input filtering for JavaScript code

🧯 If You Can't Patch

Isolate QuickJS in sandboxed environments to limit impact of crashes or exploitation.
Implement strict input validation to reject JavaScript containing eval with for-in loops from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check QuickJS version/git commit hash; if before c4cdd61a3ed284cd760faf6b00bbf0cb908da077, it's vulnerable.

Check Version:

Run 'qjs --version' or check git commit hash in source code.

Verify Fix Applied:

Verify QuickJS is built from commit c4cdd61a3ed284cd760faf6b00bbf0cb908da077 or later.

📡 Detection & Monitoring

Log Indicators:

Application crashes, segmentation faults, or abnormal terminations when processing JavaScript.

Network Indicators:

Unusual JavaScript payloads containing eval and for-in loops sent to services using QuickJS.

SIEM Query:

Search for process crashes or errors related to QuickJS or JavaScript engine in system logs.

📊 Metadata

CVE ID: CVE-2023-48183

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: April 23, 2024

Last Updated: October 15, 2025

🔗 References

https://github.com/bellard/quickjs/commit/c4cdd61a3ed284cd760faf6b00bbf0cb908da077 Patch
https://github.com/bellard/quickjs/issues/192 Exploit,Issue Tracking
https://github.com/bellard/quickjs/commit/c4cdd61a3ed284cd760faf6b00bbf0cb908da077 Patch
https://github.com/bellard/quickjs/issues/192 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48183, you might also want to check these: