CVE-2020-24345 in JerryScript
Summary
by MITRE
** DISPUTED ** JerryScript through 2.3.0 allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse("[]",a). NOTE: the vendor states that the problem is the lack of the --stack-limit option.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability identified as CVE-2020-24345 affects JerryScript versions through 2.3.0 and represents a stack consumption issue that can be triggered through specific JavaScript code patterns. This vulnerability manifests when executing a particular function construction combined with JSON.parse operations, creating a scenario where excessive stack memory consumption occurs during script execution. The reported exploit pattern involves the construction of a function that utilizes nested Proxy objects alongside JSON parsing operations, which can lead to uncontrolled stack growth and potential system instability.
The technical flaw stems from insufficient stack limit enforcement within the JerryScript engine implementation. When the problematic JavaScript code executes, it creates a recursive-like structure through the Proxy object construction and subsequent JSON parsing operations that consumes stack memory without proper bounds checking. This behavior aligns with CWE-772, which describes insufficient resource management leading to stack exhaustion, and represents a classic example of resource exhaustion vulnerabilities that can be exploited to cause denial of service conditions. The vulnerability demonstrates poor implementation of stack boundary controls within the JavaScript engine's execution environment.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can potentially be leveraged by attackers to consume system resources and cause application instability. When exploited in web browsers or embedded systems running JerryScript, this vulnerability can lead to application crashes, system hangs, or complete service unavailability. The issue is particularly concerning in embedded environments where memory resources are limited and stack exhaustion can have cascading effects on system stability. From an attacker perspective, this represents a low-effort, high-impact vector for denial of service attacks that can be executed with minimal privileges and requires no special access to system resources.
The vendor's response acknowledging that the issue stems from the lack of --stack-limit option provides important context for mitigation strategies. This indicates that the vulnerability can be addressed through proper configuration of stack limits within the JerryScript engine. Organizations should implement the --stack-limit option when deploying JerryScript applications to prevent unbounded stack consumption. Additionally, system administrators should monitor stack usage patterns and implement memory limits for JavaScript execution environments. The ATT&CK framework categorizes this vulnerability under T1499.004, which covers resource exhaustion, and represents a specific implementation weakness that can be mitigated through proper parameter configuration and resource management practices. System hardening should include regular updates to JerryScript versions that address stack management issues and implementation of proper input validation to prevent exploitation of similar patterns.