A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an “instanceof” expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout.
When the 'instanceof' expression uses array element access as the left-hand operand within a for-in loop, the OP_INSTANCEOF opcode implementation leaves an additional reference to the array on the stack instead of consuming it. Subsequently, the OP_NEXT opcode incorrectly interprets this array as an iterator object and reads the iterCmd function pointer from an incorrect structure. This leads to a situation where the interpreter operates on data with an incorrect type (CWE-843: type confusion), which opens the possibility of controlled control flow hijacking.
An attacker can cause the interpreter to crash or — depending on the heap layout — execute arbitrary code with the privileges of the process running Jsish. The complete CIA triad is at risk (confidentiality, integrity, availability).
Apply patches available from the vendor according to the references. Until a patch is released, it is recommended to avoid running untrusted JavaScript code in the Jsish 2.0 environment and restrict access to the interpreter only to trusted users.
Jsish version 2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJsish
APPJsish2.0
Related vulnerabilities
Use-after-free w Jsish v3.5.0 — podatność krytyczna w SplitChar
Heap-buffer-overflow w Jsish v3.5.0 — podatność krytyczna RCE
Stack-overflow w Jsish v3.5.0 — przepełnienie stosu w IterGetKeysCallback
Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to...
Integer overflow vulnerability in function Jsi_ObjSetLength in jsish before 3.0.6, allows remote attackers to ...