How to fix CVE-2024-13903?

Within 30 days: Identify affected systems running quickjs-ng QuickJS and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Quickjs affected by CVE-2024-13903?

Organizations using quickjs-ng QuickJS should be aware of moderate risk from CVE-2024-13903, a buffer overflow vulnerability rated CVSS 5.3. Exploitation could cause memory corruption or application crashes. Proof-of-concept code is publicly available.

CVE-2024-13903

MEDIUM

2025-03-21 [email protected]

5.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch Released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Mar 24, 2025 - 14:36 vuln.today

Public exploit code

CVE Published

Mar 21, 2025 - 07:15 nvd

MEDIUM 5.3

Description

A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The patch is named 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to upgrade the affected component.

Analysis

A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Buffer Overflow (CWE-119), which allows attackers to corrupt memory to execute arbitrary code or crash the application. A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The patch is named 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to upgrade the affected component. Affected products include: Quickjs-Ng Quickjs. Version information: up to 0.8.0..

Affected Products

Quickjs-Ng Quickjs.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Use memory-safe languages or bounds-checking. Enable ASLR, DEP/NX, stack canaries. Use safe string functions.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.6

CVSS: +26

POC: +20

CVE-2024-13903 vulnerability details – vuln.today

Back

CVE-2024-13903

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-13903

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code