{"id":"RUSTSEC-2024-0444","summary":"Uncaught exception when transitioning the state of `AsyncGenerator` objects from within a property getter of `then`","details":"A wrong assumption made when handling ECMAScript's AsyncGenerator operations\ncan cause an uncaught exception on certain scripts.\n\n## Details\n\nBoa's implementation of AsyncGenerator makes the assumption that the state of\nan AsyncGenerator object cannot change while resolving a promise created by\nmethods of AsyncGenerator such as %AsyncGeneratorPrototype%.next,\n%AsyncGeneratorPrototype%.return, or %AsyncGeneratorPrototype%.throw.\n\nHowever, a carefully constructed code could trigger a state transition from\na getter method for the promise's then property, which causes the engine to\nfail an assertion of this assumption, causing an uncaught exception. This\ncould be used to create a Denial Of Service attack in applications that\nrun arbitrary ECMAScript code provided by an external user.\n\n## Patches\n\nVersion 0.19.0 is patched to correctly handle this case.\n\n## Workarounds\n\nUsers unable to upgrade to the patched version would want to use\nstd::panic::catch_unwind to ensure any exceptions caused by the\nengine don't impact the availability of the main application.","aliases":["CVE-2024-43367","GHSA-f67q-wr6w-23jq"],"modified":"2026-01-30T00:30:39.714768Z","published":"2024-08-14T12:00:00Z","related":["CVE-2024-43357"],"database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/boa_engine"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0444.html"},{"type":"ADVISORY","url":"https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43357"},{"type":"WEB","url":"https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7"}],"affected":[{"package":{"name":"boa_engine","ecosystem":"crates.io","purl":"pkg:cargo/boa_engine"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.16.0"},{"fixed":"0.19.0"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","informational":null,"categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0444.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"}]}