CVE-2024-36120 - Vulnerability Details - OpenCVE

javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00292.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Ben-sb	Javascript Deobfuscator

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-2007	javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature.
Github GHSA	GHSA-9p6p-8v9r-8c9m	javascript-deobfuscator crafted payload can lead to code execution

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6
https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00178}`	epss `{'score': 0.00281}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-31T16:29:14.773Z

Updated: 2024-08-02T03:30:12.973Z

Reserved: 2024-05-20T21:07:48.189Z

Link: CVE-2024-36120

Vulnrichment

Updated: 2024-05-31T18:49:24.276Z

NVD

Status : Awaiting Analysis

Published: 2024-05-31T17:15:09.317

Modified: 2024-11-21T09:21:39.810

Link: CVE-2024-36120

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.189Z", "datePublished": "2024-05-31T16:29:14.773Z", "dateUpdated": "2024-08-02T03:30:12.973Z"}, "containers": {"cna": {"title": "javascript-deobfuscator crafted payload can lead to code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}], "affected": [{"vendor": "ben-sb", "product": "javascript-deobfuscator", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-31T16:44:17.180Z"}, "descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}], "source": {"advisory": "GHSA-9p6p-8v9r-8c9m", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T18:29:44.579398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ben-sb:javascript_deobfuscator:*:*:*:*:*:*:*:*"], "vendor": "ben-sb", "product": "javascript_deobfuscator", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:46.023Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:30:12.973Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36120", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-20T21:07:48.189Z", "datePublished": "2024-05-31T16:29:14.773Z", "dateUpdated": "2024-06-04T17:47:46.023Z"}, "containers": {"cna": {"title": "javascript-deobfuscator crafted payload can lead to code execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"name": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}], "affected": [{"vendor": "ben-sb", "product": "javascript-deobfuscator", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-31T16:44:17.180Z"}, "descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}], "source": {"advisory": "GHSA-9p6p-8v9r-8c9m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36120", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-31T18:29:44.579398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ben-sb:javascript_deobfuscator:*:*:*:*:*:*:*:*"], "vendor": "ben-sb", "product": "javascript_deobfuscator", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-31T18:49:24.276Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature."}, {"lang": "es", "value": "javascript-deobfuscator elimina t\u00e9cnicas comunes de ofuscaci\u00f3n de JavaScript. En las versiones afectadas, los payloads manipulados destinados a la simplificaci\u00f3n de expresiones pueden conducir a la ejecuci\u00f3n de c\u00f3digo. Este problema se solucion\u00f3 en la versi\u00f3n 1.1.0. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar la funci\u00f3n de simplificaci\u00f3n de expresiones."}], "id": "CVE-2024-36120", "lastModified": "2024-11-21T09:21:39.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-31T17:15:09.317", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}, {"source": "security-advisories@github.com", "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}