Description
An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in QuickJS‑NG v0.12.1 allows an attacker to execute arbitrary code by abusing the internal garbage‑collector function js_mapped_arguments_mark. The flaw is triggered when the function is invoked incorrectly during argument mapping, enabling malicious code to run with the privileges of the JavaScript engine. This is a classic code‑execution vulnerability described by CWE‑94 and can compromise confidentiality, integrity, and availability of any system embedding the affected engine.

Affected Systems

QuickJS‑NG version 0.12.1 is the only product identified as affected. The lightweight engine is used in embedded systems and applications that embed JavaScript execution; no additional vendors or product versions are currently reported as vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, yet the EPSS score of less than 1% suggests that exploitation is currently rare. The CVE is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is through the execution of malicious JavaScript that triggers the erroneous js_mapped_arguments_mark routine, possibly via crafted scripts or API calls. Although exploitation probability is low, the potential impact of remote code execution warrants careful assessment and timely mitigation.

Generated by OpenCVE AI on May 12, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patched build of QuickJS‑NG that resolves the CWE‑94 code injection flaw, upgrading from v0.12.1 to a later release.
  • If upgrading is not feasible, isolate the JavaScript engine in a sandboxed environment and restrict execution to trusted scripts, thereby limiting the impact of the internal garbage‑collector vulnerability.
  • Enforce input validation and safe execution policies to prevent exploitation of the internal function, addressing the CWE‑94 weakness by preventing unauthorized code paths.
  • Monitor system logs for abnormal calls to internal GC functions and investigate any suspicious activity promptly.

Generated by OpenCVE AI on May 12, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via js_mapped_arguments_mark in QuickJS‑NG

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via js_mapped_arguments_mark in QuickJS‑NG
First Time appeared Quickjs-ng
Quickjs-ng quickjs
Weaknesses CWE-94
Vendors & Products Quickjs-ng
Quickjs-ng quickjs

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function
References

Subscriptions

Quickjs-ng Quickjs
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T13:32:58.393Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37630

cve-icon Vulnrichment

Updated: 2026-05-12T13:31:18.416Z

cve-icon NVD

Status : Received

Published: 2026-05-11T21:18:59.720

Modified: 2026-05-12T14:17:02.533

Link: CVE-2026-37630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:15:19Z

Weaknesses