CVE-2023-36109

CRITICAL

JerryScript 3.0 - Buffer Overflow via ecma_stringbuilder_append_raw

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-36109. PoCs published by Limesss.

AI-analyzed exploit summary This PoC demonstrates a buffer overflow vulnerability in JerryScript's `ecma_stringbuilder_append_raw` function. The exploit manipulates a RegExp object's `exec` method to trigger the overflow during string replacement operations.

Description

Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.

Exploits (1)

nomisec WORKING POC 2 stars

by Limesss · poc

https://github.com/Limesss/CVE-2023-36109

View Code ZIP pw:eip

This PoC demonstrates a buffer overflow vulnerability in JerryScript's `ecma_stringbuilder_append_raw` function. The exploit manipulates a RegExp object's `exec` method to trigger the overflow during string replacement operations.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: JerryScript (version not specified, but likely affects multiple versions)

No auth needed

Prerequisites: JerryScript built with specific compile flags as described in the README

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit

https://github.com/Limesss/CVE-2023-36109/tree/main

View Exploit ZIP pw:eip

Exploit, Issue Tracking

https://github.com/jerryscript-project/jerryscript/issues/5080

Scores

CVSS v3 9.8

EPSS 0.0198

EPSS Percentile 77.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-120

Status published

Products (1)

jerryscript/jerryscript 3.0

Published Sep 20, 2023

Tracked Since Feb 18, 2026