Cyber Resilience

CVE-2025-47154

Critical

Published: 01 May 2025

Published
01 May 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0342 87.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47154 is a critical-severity Missing Synchronization (CWE-820) vulnerability in Jessie (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-47154 is a use-after-free vulnerability in LibJS, the JavaScript engine component of the Ladybird browser, present in all versions prior to commit f5a6704. The flaw stems from incorrect handling of the vector referenced by arguments_list during memory freeing operations, which can be triggered by processing a specially crafted .js file. The issue carries a CVSS 3.1 score of 9.0 and is classified under CWE-820.

Remote attackers without authentication or user interaction can exploit the vulnerability over the network to achieve arbitrary code execution, although the attack requires high complexity. Because Ladybird remains in a pre-alpha state intended only for developers, the affected code paths are reachable when the browser parses untrusted JavaScript.

The referenced commit f5a670421954fc7130c3685b713c621b29516669 restores proper lifetime management for the arguments_list vector. A technical write-up at jessie.cafe details the root cause and exploitation primitives, while discussion on Hacker News provides additional community context on the finding.

EPSS scores have remained low and stable near 0.03 with no material increase after disclosure.

EU & UK References

Vulnerability details

LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a…

more

pre-alpha state, and only suitable for use by developers."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Jessie
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References