A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The patch is named 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to upgrade the affected component.
Conclusion & alert: CVE-2024-13903 is rated Exploit Available (52.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.66%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-22 | 0.61% | 0.66% | +0.04% |
| 2 | 2026-06-15 | 0.17% | 0.61% | +0.44% |
| 3 | 2026-04-29 | — | 0.17% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2024-13903 not yet assigned priority: Debian including 1 source packages (quickjs), 3 status rows across 3 suites (forky, sid, trixie): open 3. | https://security-tracker.debian.org/tracker/CVE-2024-13903 |
ubuntu
|
medium | CVE-2024-13903 medium priority: Ubuntu including 1 source packages (quickjs), 5 status rows across 5 suites (focal, jammy, noble, oracular, upstream): DNE 2, not-affected 2, released 1. | https://ubuntu.com/security/CVE-2024-13903 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| quickjs-ng | quickjs | < 0.9.0 | cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff | Patch |
| https://github.com/quickjs-ng/quickjs/issues/775 | Exploit Issue Tracking |
| https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0 | Release Notes |
| https://vuldb.com/?ctiid.300571 | Permissions Required VDB Entry |
| https://vuldb.com/?id.300571 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.517394 | Exploit Third Party Advisory VDB Entry |