CVE-2025-65570
Unknown Unknown - Not Provided
Type Confusion in Jsish 2.0 OP_NEXT Causes Crash or Code Execution

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: MITRE

Description
A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an “instanceof” expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65570
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jsish jsish 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a type confusion issue in jsish 2.0 that occurs during the execution of the OP_NEXT opcode. Specifically, when an "instanceof" expression uses an array element access as the left-hand operand inside a for-in loop, the implementation leaves an extra array reference on the stack instead of consuming it during OP_INSTANCEOF. Consequently, OP_NEXT misinterprets the array as an iterator object and reads a function pointer from an invalid structure, which can lead to a crash or potentially allow code execution depending on the heap layout.

Impact Analysis

This vulnerability can cause a program using jsish 2.0 to crash unexpectedly. More seriously, depending on the heap layout, it may allow an attacker to execute arbitrary code, which could compromise the security and integrity of the affected system.

Detection Guidance

This vulnerability can be detected by analyzing the execution of JavaScript code that uses an `instanceof` expression with an array element access as the left-hand operand inside a `for-in` loop, which triggers the bug. Detection involves monitoring for crashes or segmentation faults in the jsish 2.0 JavaScript engine, especially related to the OP_NEXT opcode execution. Since the bug was discovered using fuzzing tools like fuzzilli with custom harness patches that cause deliberate crashes after logging, similar fuzzing or instrumentation could be used to detect it. Specific commands are not provided, but one could run jsish 2.0 with test scripts containing code patterns like `for (var i in a) { a[i] instanceof f; }` and monitor for crashes or abnormal behavior. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable jsish 2.0 JavaScript engine or disabling execution of untrusted JavaScript code that uses `instanceof` with array element access inside `for-in` loops. Since the vulnerability arises from improper stack handling in the bytecode interpreter, updating to a patched version of jsish (once available) is recommended. In the meantime, restricting or sandboxing jsish usage, disabling features that allow attacker-controlled JavaScript execution, or applying custom patches to fix the stack manipulation in the `instanceof` implementation can mitigate exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart