espruino CVE Vulnerabilities & Metrics

Focus on espruino vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About espruino Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with espruino. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total espruino CVEs: 19
Earliest CVE date: 31 May 2018, 16:29 UTC
Latest CVE date: 07 Feb 2024, 14:15 UTC

Latest CVE reference: CVE-2024-25201

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical espruino CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.38

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	14
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS espruino CVEs

These are the five CVEs with the highest CVSS scores for espruino, sorted by severity first and recency.

CVE-2020-22884 espruino Published on 13 Jul 2021, 15:15 UTC (CVSS: 7.5)
Buffer overflow vulnerability in function jsvGetStringChars in Espruino before RELEASE_2V09, allows remote attackers to execute arbitrary code.
CVE-2022-25465 espruino Published on 05 Mar 2022, 02:15 UTC (CVSS: 6.8)
Espruino 2v11 release was discovered to contain a stack buffer overflow via src/jsvar.c in jsvGetNextSibling.
CVE-2022-25044 espruino Published on 05 Mar 2022, 02:15 UTC (CVSS: 6.8)
Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.
CVE-2021-46325 espruino Published on 20 Jan 2022, 22:15 UTC (CVSS: 6.8)
Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf.
CVE-2021-46324 espruino Published on 20 Jan 2022, 22:15 UTC (CVSS: 6.8)
Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

All CVEs for espruino

CVE-2024-25201 espruino vulnerability CVSS: 0 07 Feb 2024, 14:15 UTC

Espruino 2v20 (commit fcc9ba4) was discovered to contain an Out-of-bounds Read via jsvStringIteratorPrintfCallback at src/jsvar.c.

CVE-2024-25200 espruino vulnerability CVSS: 0 07 Feb 2024, 14:15 UTC

Espruino 2v20 (commit fcc9ba4) was discovered to contain a Stack Overflow via the jspeFactorFunctionCall at src/jsparse.c.

CVE-2020-23257 espruino vulnerability CVSS: 0 04 Apr 2023, 15:15 UTC

Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.

CVE-2020-19693 espruino vulnerability CVSS: 0 04 Apr 2023, 15:15 UTC

An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.

CVE-2022-25465 espruino vulnerability CVSS: 6.8 05 Mar 2022, 02:15 UTC

Espruino 2v11 release was discovered to contain a stack buffer overflow via src/jsvar.c in jsvGetNextSibling.

CVE-2022-25044 espruino vulnerability CVSS: 6.8 05 Mar 2022, 02:15 UTC

Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

CVE-2021-46325 espruino vulnerability CVSS: 6.8 20 Jan 2022, 22:15 UTC

Espruino 2v10.246 was discovered to contain a stack buffer overflow via src/jsutils.c in vcbprintf.

CVE-2021-46324 espruino vulnerability CVSS: 6.8 20 Jan 2022, 22:15 UTC

Espruino 2v11.251 was discovered to contain a stack buffer overflow via src/jsvar.c in jsvNewFromString.

CVE-2021-46323 espruino vulnerability CVSS: 4.3 20 Jan 2022, 22:15 UTC

Espruino 2v11.251 was discovered to contain a SEGV vulnerability via src/jsinteractive.c in jsiGetDeviceFromClass.

CVE-2020-22884 espruino vulnerability CVSS: 7.5 13 Jul 2021, 15:15 UTC

Buffer overflow vulnerability in function jsvGetStringChars in Espruino before RELEASE_2V09, allows remote attackers to execute arbitrary code.

CVE-2018-11598 espruino vulnerability CVSS: 5.8 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Information Disclosure with user crafted input files via a Buffer Overflow or Out-of-bounds Read during syntax parsing of certain for loops in jsparse.c.

CVE-2018-11597 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.

CVE-2018-11596 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because a check for '\0' is made for the wrong array element in jsvar.c.

CVE-2018-11595 espruino vulnerability CVSS: 6.8 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and a potential Escalation of Privileges with a user crafted input file via a Buffer Overflow during syntax parsing, because strncat is misused.

CVE-2018-11594 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing of "VOID" tokens in jsparse.c.

CVE-2018-11593 espruino vulnerability CVSS: 5.8 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) and potential Information Disclosure with a user crafted input file via a Buffer Overflow during syntax parsing because strncpy is misused in jslex.c.

CVE-2018-11592 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via an Out-of-bounds Read during syntax parsing in which certain height validation is missing in libs/graphics/jswrap_graphics.c.

CVE-2018-11591 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.98 allows attackers to cause a denial of service (application crash) with a user crafted input file via a NULL pointer dereference during syntax parsing. This was addressed by adding validation for a debug trace print statement in jsvar.c.

CVE-2018-11590 espruino vulnerability CVSS: 4.3 31 May 2018, 16:29 UTC

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via an integer overflow during syntax parsing. This was addressed by fixing stack size detection on Linux in jsutils.c.