CVE-2024-13903

MediumPublic PoC

Published: 21 March 2025

Published

21 March 2025

Modified

24 March 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Score 0.0017 38.0th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13903 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching and remediation of known flaws like this stack-based buffer overflow in QuickJS, preventing exploitation via upgrade to version 0.9.0.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as stack canaries, ASLR, and DEP that directly mitigate stack-based buffer overflows by preventing unauthorized memory execution or overflow exploitation.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2024-13903 in deployed QuickJS components, facilitating remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in QuickJS qjs component enables remote denial of service via crafted JavaScript input causing application crash, facilitating T1499.004 (Application or System Exploitation).

NVD Description

A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The…

attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The patch is named 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to upgrade the affected component.

Deeper analysisAI

CVE-2024-13903 is a stack-based buffer overflow vulnerability affecting the quickjs-ng QuickJS JavaScript engine in versions up to 0.9.0. The issue resides in the JS_GetRuntime function within the quickjs.c file of the qjs component. Manipulation of this function triggers the overflow, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L), indicating moderate severity primarily impacting availability.

The vulnerability can be exploited remotely by unauthenticated attackers over a network with low complexity, but it requires user interaction to trigger. Successful exploitation results in limited denial-of-service effects, such as application crashes due to the stack overflow, with no impact on confidentiality or integrity.

Mitigation is addressed by upgrading to QuickJS version 0.9.0, which includes the fixing commit 99c02eb45170775a9a679c32b45dd4000ea67aff. Additional details are available in the project's GitHub issue #775 and release notes for v0.9.0.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

quickjs-ng

quickjs

≤ 0.9.0

CVEs Like This One

CVE-2026-0822Same product: Quickjs-Ng Quickjs

CVE-2026-1144Same product: Quickjs-Ng Quickjs

CVE-2026-0821Same product: Quickjs-Ng Quickjs

CVE-2026-1145Same product: Quickjs-Ng Quickjs

CVE-2026-27890Shared CWE-119, CWE-787

CVE-2025-71025Shared CWE-121, CWE-787

CVE-2026-20797Shared CWE-121, CWE-787

CVE-2025-8958Shared CWE-119, CWE-121

CVE-2025-2369Shared CWE-119, CWE-121

CVE-2025-1340Shared CWE-119, CWE-121

References

https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff
Patch · cna@vuldb.com
https://github.com/quickjs-ng/quickjs/issues/775
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0
Release Notes · cna@vuldb.com
https://vuldb.com/?ctiid.300571
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.300571
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.517394
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com