CVE-2025-70347 in mquickjs
Summary
by MITRE • 02/10/2026
An issue in mquickjs before commit 74b7e (2026-01-15) allows a local attacker to cause a denial of service via a crafted file to the get_mblock_size function at mquickjs.c.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2025-70347 represents a critical denial of service flaw within the mquickjs JavaScript engine library. This issue affects versions prior to commit 74b7e dated January 15, 2026, where a local attacker can exploit a specially crafted file to trigger a denial of service condition through the get_mblock_size function located in the mquickjs.c source file. The vulnerability stems from inadequate input validation and memory management handling within the JavaScript engine's memory allocation routines, creating an avenue for malicious actors to disrupt system availability. The affected mquickjs implementation demonstrates poor error handling when processing malformed input data, particularly in how it manages memory block sizing operations during JavaScript execution contexts.
The technical implementation of this vulnerability occurs within the get_mblock_size function which is responsible for determining memory block sizes during JavaScript object allocation. When a local attacker provides a crafted file containing malformed data structures, the function fails to properly validate the input parameters before proceeding with memory calculations. This leads to a situation where the memory management subsystem can be manipulated to allocate excessive memory blocks or cause memory corruption that ultimately results in process termination or system instability. The flaw operates at the intersection of memory management and input validation, creating a condition where untrusted input can directly influence memory allocation behavior. This vulnerability type aligns with CWE-122, which describes heap-based buffer overflow conditions, and CWE-400, which covers resource exhaustion vulnerabilities in software systems. The attack vector is classified as local privilege escalation since the exploit requires local system access to manipulate the targeted file, though the impact extends to system availability and service disruption.
The operational impact of this vulnerability extends beyond simple service interruption to potentially compromise system stability and availability of applications relying on the mquickjs engine. When exploited, the denial of service condition can cause applications to crash or become unresponsive, leading to cascading failures in systems where JavaScript execution is integral to core functionality. The vulnerability affects any system running software that utilizes mquickjs prior to the patched version, including embedded systems, web applications, and server environments where JavaScript execution is required. Organizations using affected versions face risks of unauthorized service disruption and potential data access limitations. The attack requires minimal privileges and can be executed by any local user, making it particularly concerning for multi-tenant environments where isolation between users is critical. According to ATT&CK framework, this vulnerability maps to T1499.004, which covers network denial of service, and T1566.001, which involves phishing with malicious attachments, though the local nature of the attack reduces the attack surface compared to remote exploitation scenarios.
Mitigation strategies for CVE-2025-70347 should prioritize immediate patch application to versions containing commit 74b7e or later, which includes proper input validation and memory management corrections. System administrators should implement robust monitoring for unusual memory allocation patterns and process termination events that could indicate exploitation attempts. Additionally, organizations should consider implementing file integrity monitoring solutions to detect unauthorized modifications to JavaScript engine components and establish automated patch management processes to ensure timely deployment of security updates. Network segmentation and privilege separation can help limit the potential impact if exploitation occurs, while regular security assessments should verify that no other components within the system are vulnerable to similar memory management flaws. The fix implemented in commit 74b7e addresses the core issue by introducing proper bounds checking and input validation within the get_mblock_size function, preventing malicious input from causing memory allocation failures that lead to denial of service conditions.