GHSA-f67q-wr6w-23jq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f67q-wr6w-23jq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-f67q-wr6w-23jq/GHSA-f67q-wr6w-23jq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f67q-wr6w-23jq
- Aliases
- Related
- Published
- 2024-08-14T20:49:51Z
- Modified
- 2025-12-20T05:56:23.871018Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Boa has an uncaught exception when transitioning the state of `AsyncGenerator` objects
- Details
-
A wrong assumption made when handling ECMAScript's
AsyncGeneratoroperations can cause an uncaught exception on certain scripts.Details
Boa's implementation of
AsyncGeneratormakes the assumption that the state of anAsyncGeneratorobject cannot change while resolving a promise created by methods ofAsyncGeneratorsuch as%AsyncGeneratorPrototype%.next,%AsyncGeneratorPrototype%.return, or%AsyncGeneratorPrototype%.throw. However, a carefully constructed code could trigger a state transition from a getter method for the promise'sthenproperty, which causes the engine to fail an assertion of this assumption, causing an uncaught exception. This could be used to create a Denial Of Service attack in applications that run arbitrary ECMAScript code provided by an external user.Patches
Version 0.19.0 is patched to correctly handle this case.
Workarounds
Users unable to upgrade to the patched version would want to use <code>std::panic::catch_unwind</code> to ensure any exceptions caused by the engine don't impact the availability of the main application.
References
- https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7
- https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r
- Database specific
{ "github_reviewed_at": "2024-08-14T20:49:51Z", "cwe_ids": [ "CWE-248" ], "severity": "HIGH", "github_reviewed": true, "nvd_published_at": "2024-08-15T21:15:17Z" }- References
-
- https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq
- https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r
- https://nvd.nist.gov/vuln/detail/CVE-2024-43367
- https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7
- https://github.com/boa-dev/boa
- https://rustsec.org/advisories/RUSTSEC-2024-0444.html
Affected packages
crates.io / boa_engine
Package
- Name
- boa_engine
- View open source insights on deps.dev
- Purl
- pkg:cargo/boa_engine