In the JavaScript shift Libjs used in the Web-browser Ladybird, a vulnerability (cve-2025-47154) was revealed, which allows attackers to execute code in the system by processing specially designed JavaScript code. The vulnerability, as reported, caused the access to already released memory on the vector m_argument_values_buffer, where a pointer in the structure of arguments_list was located.
The researcher who discovered the issue conducted a Libjs Fuzzing testing, revealing that the vulnerability can be exploited when processing JavaScript code. This vulnerability allowed unauthorized read and write access to random memory areas within the process. By manipulating the return address from the drawing function, code execution was achieved. By utilizing Return-Oriented Programming (ROP), a chain of instructions was formed to execute the Execave system call for launching an external application.
The browser Ladybird is being developed by Andreas Cling, who previously worked at Nokia and Apple, contributing to the development of Khtml and Safari, respectively. Currently, Ladybird is in the pre-alpha stage, suitable only for developer use. Originally designed as an application for the Serenityos operating system, the project became a standalone browser last summer after receiving a $1 million donation. Ladybird is written in C++ (with plans to switch to Swift) and is licensed under BSD. The project is actively developing its own engine,