CVE-2025-70347 identifies a denial of service vulnerability in the mquickjs JavaScript engine before commit 74b7e, disclosed in early 2026. The vulnerability arises from the get_mblock_size function in mquickjs.c, where a crafted file input can cause resource exhaustion or improper memory handling, leading to a crash or hang of the process. This is classified under CWE-400, indicating uncontrolled resource consumption. The attack vector is local, requiring a user to interact with the vulnerable application by providing a maliciously crafted file. No privileges are required, making it accessible to any local user. The vulnerability does not affect confidentiality or integrity but impacts availability by causing denial of service. The CVSS 3.1 score is 5.5 (medium), reflecting the moderate risk due to local access and user interaction requirements. No known exploits have been reported in the wild, and no official patches have been linked yet, though the fix is expected in or after commit 74b7e. This vulnerability is relevant for environments embedding mquickjs, such as IoT devices, embedded systems, or software development tools that incorporate this JavaScript engine. Attackers could leverage this flaw to disrupt services or applications relying on mquickjs, potentially affecting system stability and availability.

The primary impact of CVE-2025-70347 is denial of service, which can disrupt the availability of applications or systems using mquickjs. Organizations embedding mquickjs in local applications or devices may experience crashes or hangs when processing maliciously crafted files, leading to downtime or degraded service. Although the vulnerability does not compromise data confidentiality or integrity, the loss of availability can affect operational continuity, especially in embedded or IoT environments where mquickjs is used. This can result in productivity loss, increased support costs, and potential reputational damage. Since exploitation requires local access and user interaction, the risk is somewhat contained but remains significant in multi-user systems or environments where untrusted users have local access. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially once proof-of-concept code becomes available.

To mitigate CVE-2025-70347, organizations should implement strict access controls to limit local user access to systems running mquickjs, reducing the risk of malicious file input. Input validation and sanitization should be enforced wherever mquickjs processes external files to prevent crafted inputs from triggering the vulnerability. Monitoring and logging of application crashes or unusual resource consumption can help detect exploitation attempts early. Developers should track the mquickjs repository for the commit 74b7e or later patches and apply updates promptly once available. In environments where immediate patching is not possible, consider sandboxing or isolating mquickjs processes to contain potential denial of service impacts. Additionally, educating users about the risks of opening untrusted files locally can reduce the likelihood of exploitation. For embedded systems, firmware updates incorporating the fix should be prioritized. Finally, security teams should prepare incident response plans for potential DoS events related to this vulnerability.