CVE-2017-5628 Artifex CVE debrief

Who should care

Teams that ship, embed, or package MuJS; application owners that process untrusted JavaScript files; and defenders responsible for desktop or server systems where local file parsing could be triggered by user action.

Technical summary

The vulnerability is a month-validation failure in MakeDay within jsdate.c. Because the month is not validated before date calculations, parsing attacker-controlled JavaScript can drive an integer overflow. NVD maps this to CWE-190 and scores it CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a local, user-assisted path with potentially serious confidentiality, integrity, and availability impact.

Defensive priority

High for deployments that accept or process untrusted JavaScript input; medium elsewhere due to the local, user-interaction requirement.

Recommended defensive actions

• Upgrade MuJS to a version that includes the fix referenced by commit 8f62ea10a0af68e56d5c00720523ebcba13c2e6a.
• Inventory products and applications that embed MuJS and verify whether they include affected code paths.
• Treat untrusted JavaScript files as potentially dangerous and restrict where they can be opened or parsed.
• Use application controls and file-handling policies to reduce accidental parsing of untrusted local files.
• Monitor vendor advisories and downstream package updates for MuJS backports or patched builds.

Evidence notes

The CVE description states that MakeDay in jsdate.c does not validate the month, causing an integer overflow during parsing of a specially crafted JS file. NVD lists the affected CPE as artifex:mujs with vulnerable versions ending before 2017-01-24, and classifies the weakness as CWE-190. Reference links include the MuJS git commit, an issue tracker entry, and a third-party advisory/VDB record.

Official resources