Refine your search
7 vulnerabilities found for quickjs by quickjs_project
CVE-2025-62496 (GCVE-0-2025-62496)
Vulnerability from nvd
Published
2025-10-16 15:52
Modified
2025-10-16 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Summary
A vulnerability exists in the QuickJS engine's BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.
The function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula:
$$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$
* For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\text{n\_digits} \times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow.
* The resulting n_bits value becomes unexpectedly small or even negative due to this wrap-around.
* This flawed n_bits is then used to compute n_limbs, the number of memory "limbs" needed for the BigInt object. Since n_bits is too small, the calculated n_limbs is also significantly underestimated.
* The function proceeds to allocate a JSBigInt object using this underestimated n_limbs.
* When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r->tab array.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62496",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T17:26:14.998141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:26:25.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "js_bigint_from_string",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability exists in the QuickJS engine\u0027s BigInt string parsing logic (\u003ccode\u003ejs_bigint_from_string\u003c/code\u003e) when attempting to create a BigInt from a string with an \u003cb\u003eexcessively large number of digits\u003c/b\u003e.\u003c/p\u003e\u003cp\u003eThe function calculates the necessary number of bits (\u003ccode\u003en_bits\u003c/code\u003e) required to store the BigInt using the formula:\u003c/p\u003e\u003cdiv\u003e$$\\text{n\\_bits} = (\\text{n\\_digits} \\times 27 + 7) / 8 \\quad (\\text{for radix 10})$$\u003c/div\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eFor large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\\text{n\\_digits} \\times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an \u003cb\u003eInteger Overflow\u003c/b\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe resulting \u003ccode\u003en_bits\u003c/code\u003e value becomes unexpectedly small or even \u003cb\u003enegative\u003c/b\u003e due to this wrap-around.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThis flawed \u003ccode\u003en_bits\u003c/code\u003e is then used to compute \u003ccode\u003en_limbs\u003c/code\u003e, the number of memory \"limbs\" needed for the BigInt object. Since \u003ccode\u003en_bits\u003c/code\u003e is too small, the calculated \u003ccode\u003en_limbs\u003c/code\u003e is also \u003cb\u003esignificantly underestimated\u003c/b\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe function proceeds to allocate a \u003cb\u003e\u003ccode\u003eJSBigInt\u003c/code\u003e\u003c/b\u003e object using this underestimated \u003ccode\u003en_limbs\u003c/code\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eWhen the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a \u003cb\u003eHeap Out-of-Bounds Write\u003c/b\u003e as data is written past the end of the allocated \u003ccode\u003er-\u0026gt;tab\u003c/code\u003e array.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability exists in the QuickJS engine\u0027s BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.\n\nThe function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula:\n\n$$\\text{n\\_bits} = (\\text{n\\_digits} \\times 27 + 7) / 8 \\quad (\\text{for radix 10})$$\n\n * For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\\text{n\\_digits} \\times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow.\n\n\n * The resulting n_bits value becomes unexpectedly small or even negative due to this wrap-around.\n\n\n * This flawed n_bits is then used to compute n_limbs, the number of memory \"limbs\" needed for the BigInt object. Since n_bits is too small, the calculated n_limbs is also significantly underestimated.\n\n\n * The function proceeds to allocate a JSBigInt object using this underestimated n_limbs.\n\n\n * When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r-\u003etab array."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:52:05.654Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434193016"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer overflow in js_bigint_from_string in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62496",
"datePublished": "2025-10-16T15:52:05.654Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T17:26:25.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62495 (GCVE-0-2025-62495)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Summary
An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.
* The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}\_\text{t}$ (an unsigned type, typically 64-bit) for its size member.
* However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}\_\text{t}$ value into a signed int (typically 32-bit).
* When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).
* This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.
* This negative offset is then incorrectly added to the buffer pointer (s->byte\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:
put_u32(s->byte_code.buf + pos, len);
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62495",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T17:40:14.439633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:42:15.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "libregexp",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn integer overflow vulnerability exists in the QuickJS regular expression engine (\u003ccode\u003elibregexp\u003c/code\u003e) due to an \u003cb\u003einconsistent representation of the bytecode buffer size\u003c/b\u003e.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eThe regular expression bytecode is stored in a \u003ccode\u003eDynBuf\u003c/code\u003e structure, which correctly uses a $\\text{size}\\_\\text{t}$ (an unsigned type, typically 64-bit) for its \u003ccode\u003esize\u003c/code\u003e member.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eHowever, several functions, such as \u003ccode\u003ere_emit_op_u32\u003c/code\u003e and other internal parsing routines, incorrectly cast or store this \u003ccode\u003eDynBuf\u003c/code\u003e $\\text{size}\\_\\text{t}$ value into a signed \u003cb\u003eint\u003c/b\u003e (typically 32-bit).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eWhen a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed \u003cb\u003e$2^{31}$ bytes\u003c/b\u003e (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a \u003cb\u003enegative integer\u003c/b\u003e when stored in the \u003ccode\u003eint\u003c/code\u003e variable (Integer Overflow).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThis negative value is subsequently used in offset calculations. For example, within functions like \u003ccode\u003ere_parse_disjunction\u003c/code\u003e, the negative size is used to compute an offset (\u003ccode\u003epos\u003c/code\u003e) for patching a jump instruction.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThis negative offset is then incorrectly added to the buffer pointer (\u003ccode\u003es-\u0026gt;byte\\_code.buf + pos\u003c/code\u003e), leading to an \u003cb\u003eout-of-bounds write\u003c/b\u003e on the first line of the snippet below:\u003c/p\u003e\u003cblockquote\u003e\u003cp\u003e\u003ccode\u003eput_u32(s-\u0026gt;byte_code.buf + pos, len);\u003c/code\u003e\u003c/p\u003e\u003c/blockquote\u003e\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e"
}
],
"value": "An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.\n\n * The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\\text{size}\\_\\text{t}$ (an unsigned type, typically 64-bit) for its size member.\n\n\n * However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\\text{size}\\_\\text{t}$ value into a signed int (typically 32-bit).\n\n\n * When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).\n\n\n * This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.\n\n\n * This negative offset is then incorrectly added to the buffer pointer (s-\u003ebyte\\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:\n\nput_u32(s-\u003ebyte_code.buf + pos, len);"
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:58.953Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434196926"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Type confusion in string addition in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62495",
"datePublished": "2025-10-16T15:51:58.953Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T17:42:15.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62494 (GCVE-0-2025-62494)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 17:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Summary
A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.
* The code first checks if the left-hand operand is a string.
* It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).
* During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).
* The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.
This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62494",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T17:46:18.542287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:46:39.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "JS_ConcatStringInPlace",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA type confusion vulnerability exists in the handling of the \u003cb\u003estring addition (\u003ccode\u003e+\u003c/code\u003e) operation\u003c/b\u003e within the QuickJS engine.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eThe code first checks if the \u003cb\u003eleft-hand operand\u003c/b\u003e is a \u003cb\u003estring\u003c/b\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eIt then attempts to convert the \u003cb\u003eright-hand operand\u003c/b\u003e to a primitive value using \u003ccode\u003eJS_ToPrimitiveFree\u003c/code\u003e. This conversion can trigger a \u003cb\u003ecallback\u003c/b\u003e (e.g., \u003ccode\u003etoString\u003c/code\u003e or \u003ccode\u003evalueOf\u003c/code\u003e).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDuring this callback, an attacker can modify the \u003cb\u003etype\u003c/b\u003e of the \u003cb\u003eleft-hand operand\u003c/b\u003e in memory, changing it from a string to a different type (e.g., an object or an array).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe code then proceeds to call \u003ccode\u003eJS_ConcatStringInPlace\u003c/code\u003e, which still treats the modified left-hand value as a string.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThis mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a \u003cb\u003etype confusion condition\u003c/b\u003e. This can lead to out-of-bounds memory access, potentially resulting in \u003cb\u003ememory corruption\u003c/b\u003e and \u003cb\u003earbitrary code execution\u003c/b\u003e in the context of the QuickJS runtime.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.\n\n * The code first checks if the left-hand operand is a string.\n\n\n * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).\n\n\n * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).\n\n\n * The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.\n\n\nThis mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "CWE-704 Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:50.977Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434193023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Type confusion in string addition in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62494",
"datePublished": "2025-10-16T15:51:50.977Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T17:46:39.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62493 (GCVE-0-2025-62493)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.
* The function determines the number of characters (n_digits) needed for the string representation by calculating:
$$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$
$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$.
* The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$).
* The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.
* In the final iterations of the loop, the code attempts to read data that spans two limbs:
C
c = (r->tab[pos] >> shift) | (r->tab[pos + 1] << (JS_LIMB_BITS - shift));
* Since the BigInt was only allocated two limbs, the read operation for r->tab[pos + 1] becomes an Out-of-Bounds Read when pos points to the last valid limb (e.g., $pos=1$).
This vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to Information Disclosure of sensitive data stored on the heap adjacent to the BigInt object.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62493",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T17:56:52.934146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T17:59:10.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "js_bigint_to_string1",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability exists in the QuickJS engine\u0027s BigInt string conversion logic (\u003ccode\u003ejs_bigint_to_string1\u003c/code\u003e) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eThe function determines the number of characters (\u003ccode\u003en_digits\u003c/code\u003e) needed for the string representation by calculating:\u003c/p\u003e\u003cdiv\u003e$$ \\\\ \\text{n\\_digits} = (\\text{n\\_bits} + \\text{log2\\_radix} - 1) / \\text{log2\\_radix}$$\u003c/div\u003e\u003cp\u003e$$$$This formula is \u003cb\u003eoff-by-one\u003c/b\u003e in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\\text{log2\\_radix}=5$) is calculated to need $\\text{n\\_digits}=26$.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe maximum number of bits actually stored is $\\text{n\\_bits}=127$, which requires only two 64-bit limbs ($\\text{JS\\_LIMB\\_BITS}=64$).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe conversion loop iterates \u003cb\u003e$\\text{n\\_digits}=26$ times\u003c/b\u003e, attempting to read 5 bits in each iteration, totaling $26 \\times 5 = 130$ bits.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eIn the final iterations of the loop, the code attempts to read data that spans two limbs:\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003eC\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cpre\u003e\u003ccode\u003ec = (r-\u0026gt;tab[pos] \u0026gt;\u0026gt; shift) | (r-\u0026gt;tab[pos + 1] \u0026lt;\u0026lt; (JS_LIMB_BITS - shift));\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eSince the BigInt was only allocated two limbs, the read operation for \u003ccode\u003er-\u0026gt;tab[pos + 1]\u003c/code\u003e becomes an \u003cb\u003eOut-of-Bounds Read\u003c/b\u003e when \u003ccode\u003epos\u003c/code\u003e points to the last valid limb (e.g., $pos=1$).\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThis vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to \u003cb\u003eInformation Disclosure\u003c/b\u003e of sensitive data stored on the heap adjacent to the BigInt object.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability exists in the QuickJS engine\u0027s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.\n\n * The function determines the number of characters (n_digits) needed for the string representation by calculating:\n\n$$ \\\\ \\text{n\\_digits} = (\\text{n\\_bits} + \\text{log2\\_radix} - 1) / \\text{log2\\_radix}$$\n\n$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\\text{log2\\_radix}=5$) is calculated to need $\\text{n\\_digits}=26$.\n\n\n * The maximum number of bits actually stored is $\\text{n\\_bits}=127$, which requires only two 64-bit limbs ($\\text{JS\\_LIMB\\_BITS}=64$).\n\n\n * The conversion loop iterates $\\text{n\\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \\times 5 = 130$ bits.\n\n\n * In the final iterations of the loop, the code attempts to read data that spans two limbs:\n\nC\n\n\n\nc = (r-\u003etab[pos] \u003e\u003e shift) | (r-\u003etab[pos + 1] \u003c\u003c (JS_LIMB_BITS - shift));\n\n\n\n\n\n\n\n\n\n * Since the BigInt was only allocated two limbs, the read operation for r-\u003etab[pos + 1] becomes an Out-of-Bounds Read when pos points to the last valid limb (e.g., $pos=1$).\n\n\nThis vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to Information Disclosure of sensitive data stored on the heap adjacent to the BigInt object."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:42.952Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434193024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap out-of-bounds read in js_bigint_to_string1 in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62493",
"datePublished": "2025-10-16T15:51:42.952Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T17:59:10.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62492 (GCVE-0-2025-62492)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 18:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied.
* The fromIndex argument (read as a double variable, $d$) is used to calculate the starting position for the search.
* If d is negative, the index is calculated relative to the end of the array by adding the array's length (len) to d:
$$d_{new} = d + \text{len}$$
* Due to the inherent limitations of floating-point arithmetic, if the negative value $d$ is extremely small (e.g., $-1 \times 10^{-20}$), the addition $d + \text{len}$ can result in a loss of precision, yielding an outcome that is exactly equal to $\text{len}$.
* The result is then converted to an integer index $k$: $k = \text{len}$.
* The search function proceeds to read array elements starting from index $k$. Since valid indices are $0$ to $\text{len}-1$, starting the read at index $\text{len}$ is one element past the end of the array.
This allows an attacker to cause an Out-of-Bounds Read of one element immediately following the buffer. While the scope of this read is small (one element), it can potentially lead to Information Disclosure of adjacent memory contents, depending on the execution environment.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:01:27.698649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:02:02.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "js_typed_array_indexOf",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine\u0027s implementation of \u003ccode\u003eTypedArray.prototype.indexOf()\u003c/code\u003e when a negative \u003cb\u003e\u003ccode\u003efromIndex\u003c/code\u003e\u003c/b\u003e argument is supplied.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eThe \u003ccode\u003efromIndex\u003c/code\u003e argument (read as a \u003ccode\u003edouble\u003c/code\u003e variable, $d$) is used to calculate the starting position for the search.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eIf d is negative, the index is calculated relative to the end of the array by adding the array\u0027s length (len) to d:\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e$$d_{new} = d + \\text{len}$$\u003c/div\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eDue to the inherent limitations of \u003cb\u003efloating-point arithmetic\u003c/b\u003e, if the negative value $d$ is extremely small (e.g., $-1 \\times 10^{-20}$), the addition $d + \\text{len}$ can result in a loss of precision, yielding an outcome that is \u003cb\u003eexactly equal to $\\text{len}$\u003c/b\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe result is then converted to an integer index $k$: $k = \\text{len}$.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe search function proceeds to read array elements starting from index $k$. Since valid indices are $0$ to $\\text{len}-1$, starting the read at index $\\text{len}$ is \u003cb\u003eone element past the end of the array\u003c/b\u003e.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003eThis allows an attacker to cause an \u003cb\u003eOut-of-Bounds Read\u003c/b\u003e of one element immediately following the buffer. While the scope of this read is small (one element), it can potentially lead to \u003cb\u003eInformation Disclosure\u003c/b\u003e of adjacent memory contents, depending on the execution environment.\u003cbr\u003e"
}
],
"value": "A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine\u0027s implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied.\n\n * The fromIndex argument (read as a double variable, $d$) is used to calculate the starting position for the search.\n\n\n * If d is negative, the index is calculated relative to the end of the array by adding the array\u0027s length (len) to d:\n\n\n\n$$d_{new} = d + \\text{len}$$\n\n\n * Due to the inherent limitations of floating-point arithmetic, if the negative value $d$ is extremely small (e.g., $-1 \\times 10^{-20}$), the addition $d + \\text{len}$ can result in a loss of precision, yielding an outcome that is exactly equal to $\\text{len}$.\n\n\n * The result is then converted to an integer index $k$: $k = \\text{len}$.\n\n\n * The search function proceeds to read array elements starting from index $k$. Since valid indices are $0$ to $\\text{len}-1$, starting the read at index $\\text{len}$ is one element past the end of the array.\n\n\nThis allows an attacker to cause an Out-of-Bounds Read of one element immediately following the buffer. While the scope of this read is small (one element), it can potentially lead to Information Disclosure of adjacent memory contents, depending on the execution environment."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:34.445Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434194797"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap out-of-bounds read in js_typed_array_indexOf in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62492",
"datePublished": "2025-10-16T15:51:34.445Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T18:02:02.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62491 (GCVE-0-2025-62491)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 18:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:03:58.190903Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:04:16.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "js_std_promise_rejection_check",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA \u003cb\u003eUse-After-Free (UAF)\u003c/b\u003e vulnerability exists in the QuickJS engine\u0027s standard library when iterating over the global list of unhandled rejected promises (\u003ccode\u003ets-\u0026gt;rejected_promise_list\u003c/code\u003e).\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eThe function \u003cb\u003e\u003ccode\u003ejs_std_promise_rejection_check\u003c/code\u003e\u003c/b\u003e attempts to iterate over the \u003ccode\u003erejected_promise_list\u003c/code\u003e to report unhandled rejections using a standard list loop.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe \u003cb\u003ereason\u003c/b\u003e for a promise rejection is processed inside the loop, including calling \u003ccode\u003ejs_std_dump_error1(ctx, rp-\u0026gt;reason)\u003c/code\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eIf the promise \u003cb\u003erejection reason\u003c/b\u003e is an \u003cb\u003eError object\u003c/b\u003e that defines a custom property \u003cb\u003egetter\u003c/b\u003e (e.g., via \u003ccode\u003eObject.defineProperty\u003c/code\u003e), this getter is executed during the error dumping process.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThe malicious custom getter can execute JavaScript code that calls \u003cb\u003e\u003ccode\u003ecatch()\u003c/code\u003e\u003c/b\u003e on the \u003ci\u003esame\u003c/i\u003e rejected promise being processed.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eCalling \u003ccode\u003ecatch()\u003c/code\u003e internally triggers \u003cb\u003e\u003ccode\u003ejs_std_promise_rejection_tracker\u003c/code\u003e\u003c/b\u003e, which then \u003cb\u003eremoves and frees\u003c/b\u003e the current promise entry (\u003ccode\u003eJSRejectedPromiseEntry\u003c/code\u003e) from the \u003ccode\u003erejected_promise_list\u003c/code\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eSince the list iteration continues using the now-freed memory pointer (\u003ccode\u003eel\u003c/code\u003e), the subsequent loop access results in a \u003cb\u003eUse-After-Free\u003c/b\u003e condition.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e"
}
],
"value": "A Use-After-Free (UAF) vulnerability exists in the QuickJS engine\u0027s standard library when iterating over the global list of unhandled rejected promises (ts-\u003erejected_promise_list).\n\n * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.\n\n\n * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp-\u003ereason).\n\n\n * If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.\n\n\n * The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.\n\n\n * Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.\n\n\n * Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:24.238Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434195203"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use-after-free in js_std_promise_rejection_check in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62491",
"datePublished": "2025-10-16T15:51:24.238Z",
"dateReserved": "2025-10-15T08:47:41.878Z",
"dateUpdated": "2025-10-16T18:04:16.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62490 (GCVE-0-2025-62490)
Vulnerability from nvd
Published
2025-10-16 15:51
Modified
2025-10-16 18:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:07:46.371137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:08:20.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://bellard.org/quickjs/",
"defaultStatus": "unaffected",
"packageName": "js_print_object",
"product": "QuickJS",
"vendor": "QuickJS",
"versions": [
{
"lessThan": "2025-09-13",
"status": "affected",
"version": "2025-04-26",
"versionType": "date"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn quickjs, in \u003c/span\u003e\u003ccode\u003ejs_print_object\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, when printing an array, the function first fetches the array length and then loops over it.\u0026nbsp;\u003c/span\u003eThe issue is, printing a value is not side-effect free. An attacker-defined callback could run during \u003ccode\u003ejs_print_value\u003c/code\u003e, during which the array could get resized and \u003ccode\u003elen1\u003c/code\u003e\u0026nbsp;become out of bounds. This results in a use-after-free.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cp\u003eA second instance occurs in the same function during printing of a map or set objects. The code iterates over \u003ccode\u003ems-\u0026gt;records\u003c/code\u003e\u0026nbsp;list, but once again, elements could be removed from the list during \u003ccode\u003ejs_print_value\u003c/code\u003e\u0026nbsp;call.\u003c/p\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it.\u00a0The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1\u00a0become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms-\u003erecords\u00a0list, but once again, elements could be removed from the list during js_print_value\u00a0call."
}
],
"impacts": [
{
"capecId": "CAPEC-175",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-175 Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T15:51:06.100Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bellard.org/quickjs/Changelog"
},
{
"url": "https://issuetracker.google.com/434196651"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use-after-free in js_print_object in QuickJS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-62490",
"datePublished": "2025-10-16T15:51:06.100Z",
"dateReserved": "2025-10-15T08:47:41.877Z",
"dateUpdated": "2025-10-16T18:08:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}