CRITICAL🇵🇱 Wersja polska

CVE-2025-65570

CVSS 9.8v3.1pub. 2025-12-29upd. 2025-12-31

A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an “instanceof” expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout.

🤖 AI Analysis
How it works

When the 'instanceof' expression uses array element access as the left-hand operand within a for-in loop, the OP_INSTANCEOF opcode implementation leaves an additional reference to the array on the stack instead of consuming it. Subsequently, the OP_NEXT opcode incorrectly interprets this array as an iterator object and reads the iterCmd function pointer from an incorrect structure. This leads to a situation where the interpreter operates on data with an incorrect type (CWE-843: type confusion), which opens the possibility of controlled control flow hijacking.

Impact

An attacker can cause the interpreter to crash or — depending on the heap layout — execute arbitrary code with the privileges of the process running Jsish. The complete CIA triad is at risk (confidentiality, integrity, availability).

Mitigation & patch

Apply patches available from the vendor according to the references. Until a patch is released, it is recommended to avoid running untrusted JavaScript code in the Jsish 2.0 environment and restrict access to the interpreter only to trusted users.

Who is affected

Jsish version 2.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jsish

    APP
    Jsish
    2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-24189CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Jsish v3.5.0 — podatność krytyczna w SplitChar

CVE-2024-24188CRITICAL9.8PL ✓ten sam produkt

Heap-buffer-overflow w Jsish v3.5.0 — podatność krytyczna RCE

CVE-2024-24186CRITICAL9.8PL ✓ten sam produkt

Stack-overflow w Jsish v3.5.0 — przepełnienie stosu w IterGetKeysCallback

CVE-2020-22874CRITICAL9.8ten sam produkt

Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to...

CVE-2020-22875CRITICAL9.8ten sam produkt

Integer overflow vulnerability in function Jsi_ObjSetLength in jsish before 3.0.6, allows remote attackers to ...