{"id":"CVE-2025-47154","details":"LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says \"Ladybird is in a pre-alpha state, and only suitable for use by developers.\"","modified":"2026-04-12T17:04:14.473166Z","published":"2025-05-01T08:15:17.950Z","references":[{"type":"WEB","url":"https://news.ycombinator.com/item?id=43852096"},{"type":"WEB","url":"https://jessie.cafe/posts/pwning-ladybirds-libjs/"},{"type":"FIX","url":"https://github.com/LadybirdBrowser/ladybird/commit/f5a670421954fc7130c3685b713c621b29516669"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ladybirdbrowser/ladybird","events":[{"introduced":"0"},{"fixed":"f5a670421954fc7130c3685b713c621b29516669"}]}],"database_specific":{"vanir_signatures_modified":"2026-04-12T17:04:14Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["78145721894044113831245308110787286871","26641897745351241291467529065564590954","147734716286958743607801282599752901741","153861863509097765535148541323237756297","12151441737464691349738714897379041698","3686700072043609116267895963213803858","9424494864836323631286429448587204674","297981745157393919924355575676547882378","285647585967189702687540233700516111359","232408572668157654726044103523423143502","177727730558407447935187054991190642978","6053084403272853370610463908802501837","287008995418993049523404352925508652584","121168277611002514718875672847163919709"]},"deprecated":false,"target":{"file":"Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp"},"source":"https://github.com/ladybirdbrowser/ladybird/commit/f5a670421954fc7130c3685b713c621b29516669","signature_version":"v1","signature_type":"Line","id":"CVE-2025-47154-a2fbdd12"},{"digest":{"function_hash":"51080387462553014103704455605858948188","length":1834},"deprecated":false,"target":{"function":"ECMAScriptFunctionObject::internal_construct","file":"Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp"},"source":"https://github.com/ladybirdbrowser/ladybird/commit/f5a670421954fc7130c3685b713c621b29516669","signature_version":"v1","signature_type":"Function","id":"CVE-2025-47154-fb7c361d"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"f5a6704"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47154.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}