CVE-2022-44789 is a high-severity vulnerability affecting Artifex MuJS versions 1.0.0 through 1.3.x prior to 1.3.2. The flaw resides in the O_getOwnPropertyDescriptor() function, which is responsible for retrieving property descriptors in the MuJS JavaScript engine. The vulnerability is classified as a logical issue leading to memory corruption, specifically falling under CWE-787 (Out-of-bounds Write). An attacker can exploit this by crafting a malicious JavaScript file that, when loaded and processed by the vulnerable MuJS engine, triggers memory corruption. This corruption can be leveraged to achieve remote code execution (RCE) on the host system without requiring any privileges (PR:N) but does require user interaction (UI:R), such as opening or processing the malicious JavaScript file. The attack vector is network-based (AV:N), meaning the malicious file can be delivered remotely. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS v3.1 base score of 8.8, indicating a high severity. The scope is unchanged (S:U), meaning the exploit affects only the vulnerable component without impacting other components. No known public exploits have been reported in the wild to date, and no vendor or product specifics beyond MuJS versions are provided. MuJS is a lightweight JavaScript interpreter often embedded in applications requiring scripting capabilities, such as PDF rendering or embedded systems. The vulnerability’s exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full system compromise depending on the context in which MuJS is embedded.

For European organizations, the impact of CVE-2022-44789 depends largely on the use of MuJS within their software stack. Organizations embedding MuJS in their products or internal tools—such as document processing, PDF rendering, or embedded device management—face significant risk. Successful exploitation could lead to remote code execution, enabling attackers to steal sensitive data, disrupt services, or pivot within networks. Critical sectors such as finance, healthcare, manufacturing, and government agencies could be particularly affected if they rely on software incorporating MuJS. Given the vulnerability requires user interaction, phishing or social engineering campaigns could be used to deliver the malicious JavaScript payload. The high confidentiality, integrity, and availability impact means that data breaches, operational disruptions, and reputational damage are plausible outcomes. Additionally, embedded devices or IoT products using MuJS could be compromised, affecting industrial control systems or critical infrastructure. Although no known exploits are currently active, the high CVSS score and ease of exploitation without privileges underscore the urgency for mitigation.

Upgrade MuJS to version 1.3.2 or later, where the vulnerability has been patched. Identify and inventory all software and devices within the organization that embed MuJS, including third-party applications and embedded systems. Implement strict input validation and sandboxing for any components that process JavaScript files, minimizing the risk of executing untrusted code. Deploy endpoint protection solutions capable of detecting anomalous behavior indicative of exploitation attempts, such as unexpected memory corruption or code injection. Educate users and administrators about the risks of opening untrusted JavaScript files, especially those received via email or downloaded from the internet. Use application whitelisting to prevent unauthorized execution of scripts or binaries that could exploit this vulnerability. Monitor network traffic for unusual activity related to JavaScript file transfers or execution within critical systems. Engage with software vendors to confirm whether their products use MuJS and request timely updates or patches. For embedded devices, apply firmware updates where available or isolate vulnerable devices from critical networks until patched.