CVE-2025-47154
Published: 01 May 2025
Summary
CVE-2025-47154 is a critical-severity Missing Synchronization (CWE-820) vulnerability in Jessie (inferred from references). Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-47154 is a use-after-free vulnerability in LibJS, the JavaScript engine component of the Ladybird browser, present in all versions prior to commit f5a6704. The flaw stems from incorrect handling of the vector referenced by arguments_list during memory freeing operations, which can be triggered by processing a specially crafted .js file. The issue carries a CVSS 3.1 score of 9.0 and is classified under CWE-820.
Remote attackers without authentication or user interaction can exploit the vulnerability over the network to achieve arbitrary code execution, although the attack requires high complexity. Because Ladybird remains in a pre-alpha state intended only for developers, the affected code paths are reachable when the browser parses untrusted JavaScript.
The referenced commit f5a670421954fc7130c3685b713c621b29516669 restores proper lifetime management for the arguments_list vector. A technical write-up at jessie.cafe details the root cause and exploitation primitives, while discussion on Hacker News provides additional community context on the finding.
EPSS scores have remained low and stable near 0.03 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14653
Vulnerability details
LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a…
more
pre-alpha state, and only suitable for use by developers."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.