Vulnerability Description
In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of control flow. NOTE: the original reporter disputes the significance of this finding because "there isn’t very much of an opportunity to exploit this reliably for an information leak, so there isn’t any real security impact."
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cesanta | Mongooseos Mjs | 1.26 |
Related Weaknesses (CWE)
References
- https://github.com/418sec/mjs/pull/2PatchThird Party Advisory
- https://github.com/cesanta/mjs/releases/tag/1.26Release NotesThird Party Advisory
- https://huntr.dev/bounties/1-other-mjs/ExploitThird Party Advisory
- https://github.com/418sec/mjs/pull/2PatchThird Party Advisory
- https://github.com/cesanta/mjs/releases/tag/1.26Release NotesThird Party Advisory
- https://huntr.dev/bounties/1-other-mjs/ExploitThird Party Advisory
FAQ
What is CVE-2021-31875?
CVE-2021-31875 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in mjs_json_parse, which can potentially lead to redirection of cont...
How severe is CVE-2021-31875?
CVE-2021-31875 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-31875?
Check the references section above for vendor advisories and patch information. Affected products include: Cesanta Mongooseos Mjs.