### [CVE-2025-47154](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47154)
![](https://img.shields.io/static/v1?label=Product&message=Ladybird&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-820%20Missing%20Synchronization&color=brightgreen)

### Description

LibJS in Ladybird before f5a6704 mishandles the freeing of the vector that arguments_list references, leading to a use-after-free, and allowing remote attackers to execute arbitrary code via a crafted .js file. NOTE: the GitHub README says "Ladybird is in a pre-alpha state, and only suitable for use by developers."

### POC

#### Reference
- https://jessie.cafe/posts/pwning-ladybirds-libjs/

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds