CVE-2017-5627 Artifex CVE debrief

Who should care

Teams that embed or ship MuJS, especially where the engine may process attacker-controlled or untrusted JavaScript files. Packagers and downstream maintainers should also verify whether their builds include a fixed MuJS revision.

Technical summary

NVD describes the issue as a missing check for a negative array length in jsR_setproperty in jsrun.c. That bad length handling can lead to an integer overflow in js_pushstring in jsrun.c when parsing a specially crafted JS file. NVD classifies the weakness as CWE-190 and rates the issue CVSS 3.1 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Defensive priority

High for any environment that parses untrusted or user-supplied JS with MuJS. The bug is reachable through file parsing and can affect confidentiality, integrity, and availability, so fixed builds should be prioritized in embedded and packaged deployments.

Recommended defensive actions

• Upgrade MuJS to a revision that includes commit 4006739a28367c708dea19aeb19b8a1a9326ce08 or a later fixed release.
• Inventory products, appliances, and applications that bundle MuJS or statically link it.
• Treat untrusted JavaScript input as high risk until the affected parser is patched or removed.
• If immediate upgrading is not possible, restrict who can supply JS files and isolate parsing workflows as a temporary mitigation.
• Verify rebuilds and vendor packages after updating to ensure the fixed MuJS code is actually present.

Evidence notes

The source corpus ties the fix reference to git commit 4006739a28367c708dea19aeb19b8a1a9326ce08 and cites an issue tracker entry plus a third-party advisory. The supplied NVD record shows the affected CPE range ends before 2017-01-24 and gives the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. No exploit code or reproduction steps are included here.

Official resources