CVE-2025-65570
Type Confusion in Jsish 2.0 OP_NEXT Causes Crash or Code Execution
Publication date: 2025-12-29
Last updated on: 2025-12-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsish | jsish | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a type confusion issue in jsish 2.0 that occurs during the execution of the OP_NEXT opcode. Specifically, when an "instanceof" expression uses an array element access as the left-hand operand inside a for-in loop, the implementation leaves an extra array reference on the stack instead of consuming it during OP_INSTANCEOF. Consequently, OP_NEXT misinterprets the array as an iterator object and reads a function pointer from an invalid structure, which can lead to a crash or potentially allow code execution depending on the heap layout.
How can this vulnerability impact me? :
This vulnerability can cause a program using jsish 2.0 to crash unexpectedly. More seriously, depending on the heap layout, it may allow an attacker to execute arbitrary code, which could compromise the security and integrity of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the execution of JavaScript code that uses an `instanceof` expression with an array element access as the left-hand operand inside a `for-in` loop, which triggers the bug. Detection involves monitoring for crashes or segmentation faults in the jsish 2.0 JavaScript engine, especially related to the OP_NEXT opcode execution. Since the bug was discovered using fuzzing tools like fuzzilli with custom harness patches that cause deliberate crashes after logging, similar fuzzing or instrumentation could be used to detect it. Specific commands are not provided, but one could run jsish 2.0 with test scripts containing code patterns like `for (var i in a) { a[i] instanceof f; }` and monitor for crashes or abnormal behavior. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable jsish 2.0 JavaScript engine or disabling execution of untrusted JavaScript code that uses `instanceof` with array element access inside `for-in` loops. Since the vulnerability arises from improper stack handling in the bytecode interpreter, updating to a patched version of jsish (once available) is recommended. In the meantime, restricting or sandboxing jsish usage, disabling features that allow attacker-controlled JavaScript execution, or applying custom patches to fix the stack manipulation in the `instanceof` implementation can mitigate exploitation. [1]