From b3afca3482ecac71e47a0fd02dc582fded48ba8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= Date: Thu, 18 Dec 2025 18:24:19 +0100 Subject: [PATCH] boa_engine: add information about CVE-2024-43357 --- crates/boa_engine/RUSTSEC-0000-0000.md | 45 ++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 crates/boa_engine/RUSTSEC-0000-0000.md diff --git a/crates/boa_engine/RUSTSEC-0000-0000.md b/crates/boa_engine/RUSTSEC-0000-0000.md new file mode 100644 index 00000000..12db4562 --- /dev/null +++ b/crates/boa_engine/RUSTSEC-0000-0000.md @@ -0,0 +1,45 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "boa_engine" +date = "2024-08-14" +url = "https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq" +references = ["https://nvd.nist.gov/vuln/detail/CVE-2024-43357","https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7"] +categories = ["denial-of-service"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" +aliases = ["GHSA-f67q-wr6w-23jq", "CVE-2024-43367"] +related = ["CVE-2024-43357"] +license = "CC-BY-4.0" + +[versions] +patched = [">= 0.19"] +unaffected = ["< 0.16"] +``` + +# Uncaught exception when transitioning the state of `AsyncGenerator` objects from within a property getter of `then` + +A wrong assumption made when handling ECMAScript's AsyncGenerator operations +can cause an uncaught exception on certain scripts. + +## Details + +Boa's implementation of AsyncGenerator makes the assumption that the state of +an AsyncGenerator object cannot change while resolving a promise created by +methods of AsyncGenerator such as %AsyncGeneratorPrototype%.next, +%AsyncGeneratorPrototype%.return, or %AsyncGeneratorPrototype%.throw. + +However, a carefully constructed code could trigger a state transition from +a getter method for the promise's then property, which causes the engine to +fail an assertion of this assumption, causing an uncaught exception. This +could be used to create a Denial Of Service attack in applications that +run arbitrary ECMAScript code provided by an external user. + +## Patches + +Version 0.19.0 is patched to correctly handle this case. + +## Workarounds + +Users unable to upgrade to the patched version would want to use +std::panic::catch_unwind to ensure any exceptions caused by the +engine don't impact the availability of the main application.