CVE-2024-43357

Name of the Vulnerable Software and Affected Versions ECMAScript (affected versions not specified)

Description A problem in the ECMAScript specification of async generators may lead to mis-implementation in a way that could present as a security issue, such as type confusion and pointer dereference. The internal async generator machinery calls regular promise resolver functions on IteratorResult objects, assuming that these objects will not be then-ables. However, these objects can be made then-able, triggering arbitrary behavior, including re-entering the async generator machinery in a way that violates some internal invariants.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Implementors should refer to the latest ECMAScript specification and update their implementations to comply with the AsyncGenerator section. Users unable to upgrade to the patched version would want to use exception handling mechanisms to ensure any exceptions caused by the engine don't impact the availability of the main application.