CVE-2023-48183

Publication date 23 April 2024

Last updated 15 April 2025

Ubuntu priority

QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
quickjs	24.10 oracular	Not affected
	24.04 LTS noble	Fixed 2021.03.27-1ubuntu0.1~esm1 Ubuntu Pro
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7439-1
QuickJS vulnerabilities
15 April 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2023-48183
https://github.com/bellard/quickjs/issues/192
https://github.com/bellard/quickjs/commit/c4cdd61a3ed284cd760faf6b00bbf0cb908da077