CVE-2025-30397 PoC — Scripting Engine Memory Corruption Vulnerability

Source

Associated Vulnerability

Description

Remote Code Execution via Use-After-Free in JScript.dll (CVE-2025-30397)

Readme

# CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free
Remote Code Execution via Use-After-Free in JScript.dll (CVE-2025-30397)


 🧠 Description

This repository contains a proof-of-concept (PoC) exploit for a Use-After-Free vulnerability in the JScript engine (`jscript.dll`) affecting Windows Server 2025 (build 25398 and prior). The vulnerability allows remote code execution by exploiting memory corruption through heap spraying techniques. The PoC demonstrates execution of `calc.exe` via Internet Explorer 11 on the affected system.

---

 🔍 CVE Details

- CVE ID: [CVE-2025-30397](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30397)
- Vendor: Microsoft
- Affected Platforms: Windows Server 2025 (build 25398 and prior)
- Tested On: Windows Server 2025 + Internet Explorer 11 (x86)
- Vulnerability Type: Use-After-Free in `jscript.dll`
- Impact: Remote Code Execution (RCE)
- Severity: Critical



⚙️ Technical Summary

This PoC exploits a Use-After-Free bug caused by improper management of object references in the legacy JScript engine. When triggered via a specially crafted HTML page, the vulnerability allows attackers to corrupt memory and achieve remote code execution. The exploit uses heap spraying to place shellcode in memory, ultimately executing calc.exe on vulnerable systems running Windows Server 2025 with Internet Explorer 11. This demonstrates the impact of the flaw and confirms exploitability under real conditions.

Author

Mohammed Idrees Banyamer

File Snapshot

 [4.0K]  /data/pocs/cc933c3bca252670b9ca9ec75b6824c8dfdd25bd
├── [4.3K]  exploit.py
├── [ 34K]  LICENSE
└── [1.5K]  README.md

0 directories, 3 files

Remarks