CVE-2025-13120: Critical Use-After-Free Vulnerability Discovered in mruby Array Sorting

Overview

A significant security vulnerability, identified as CVE-2025-13120, has been discovered in mruby, affecting versions up to and including 3.4.0. This vulnerability is a use-after-free issue located within the sort_cmp function of the src/array.c file. Successful exploitation of this vulnerability could allow a local attacker to execute arbitrary code or cause a denial-of-service condition.

Technical Details

The vulnerability arises from improper memory management within the sort_cmp function when handling array sorting operations. Specifically, the code may attempt to access or manipulate memory that has already been freed, leading to unpredictable behavior. The vulnerability is triggered when processing specially crafted array data. The publicly available exploit allows for reproduction of this issue.

The specific vulnerable file is: src/array.c, and the affected function is sort_cmp.

A patch has been released to address this issue, identified by the commit hash eb398971bfb43c38db3e04528b68ac9a7ce509bc.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13120 is 5.3 (Medium).

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged
• Confidentiality Impact: Low
• Integrity Impact: Low
• Availability Impact: Low

Possible Impact

While the vulnerability requires local access, the potential impact can be significant. Successful exploitation could lead to:

• Arbitrary Code Execution: An attacker could potentially execute arbitrary code with the privileges of the affected process.
• Denial of Service (DoS): The application could crash or become unresponsive, leading to a denial of service.
• Information Disclosure: Sensitive information could be leaked from memory.

Mitigation and Patch Steps

The most effective way to mitigate this vulnerability is to apply the official patch provided by the mruby project. Follow these steps:

1. Apply the Patch: Apply the patch with commit hash eb398971bfb43c38db3e04528b68ac9a7ce509bc. This can typically be done by cloning the mruby repository and applying the patch manually or by upgrading to a version that includes the fix.
2. Upgrade mruby: If available, upgrade to a newer version of mruby that incorporates the fix for CVE-2025-13120.
3. Verify the Fix: After applying the patch or upgrading, thoroughly test the application to ensure that the vulnerability has been resolved and that no new issues have been introduced.

References

• Makesoftwaresafe mruby Pull Request
• mruby Commit: eb398971bfb43c38db3e04528b68ac9a7ce509bc
• mruby Issue 6649
• mruby Issue 6649 Comment
• VulDB: ctiid.332325
• VulDB: id.332325
• VulDB: Submit Report