quickjs-ng QuickJS Use-After-Free Vulnerability in Iterator.concat Function

A use-after-free vulnerability has been identified in quickjs-ng QuickJS versions through 0.12.1. The issue arises in the js_iterator_concat_return function within quickjs.c, where the iterator handling can be manipulated to create a re-entrancy problem. This vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability leads to a heap-use-after-free condition, where memory that has been freed is accessed again, potentially causing a program crash, unexpected behavior, or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by calling the Iterator.concat method with an object that has a custom iterator implementation. This implementation should invoke the return method of the iterator during the iteration process, which frees up internal state entries. Once the iteration resumes, the function will attempt to free the same entries again, leading to the use-after-free condition.

Remediation

Users are advised to update to the patched version of quickjs-ng QuickJS, which is available on the project's GitHub repository.