Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function
AnalysisAI
Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.
Technical ContextAI
QuickJS-NG is a fork of QuickJS, a small and embeddable JavaScript engine that supports ES2020 features. The vulnerability resides in the js_mapped_arguments_mark function, which is part of the garbage collection/memory marking subsystem responsible for managing JavaScript function arguments objects. CWE-94 (Code Injection) indicates the flaw allows externally-supplied code or commands to be executed within the interpreter's context. This type of vulnerability in JavaScript engines typically arises from improper validation or sanitization during parsing, compilation, or runtime execution phases, allowing specially-crafted JavaScript code to break out of intended execution boundaries.
RemediationAI
Upgrade QuickJS-NG to a version newer than 0.12.1 if available; consult the GitHub issue tracker at github.com/quickjs-ng/quickjs/issues/1400 for patch status and release information. As of this analysis, no specific patched version number has been independently confirmed from the provided data sources, and the GitHub issue link should be reviewed for maintainer responses, commits, or release notes addressing CVE-2026-37630. If immediate patching is not feasible, implement compensating controls: restrict QuickJS-NG exposure to trusted JavaScript sources only, deploy network segmentation to isolate systems running vulnerable versions, and implement input validation/sanitization for any externally-supplied JavaScript code before execution. For embedded or IoT deployments, disable network accessibility to the JavaScript engine interface if the use case permits local-only operation. Monitor the official QuickJS-NG repository for security advisories at https://github.com/quickjs-ng/quickjs. Note that restricting network access (blocking AV:N) fundamentally changes the attack surface but may conflict with legitimate use cases requiring remote script execution.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29291
GHSA-5m3h-w8g2-q63h