QuickJS 0.9.0/3b45d15 out-of-bounds

Summaryinfo

A vulnerability, which was classified as problematic, was found in QuickJS. This affects an unknown function. Such manipulation leads to out-of-bounds. This vulnerability is referenced as CVE-2025-62493. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in QuickJS and classified as critical. Affected by this issue is some unknown functionality. The manipulation with an unknown input leads to a out-of-bounds vulnerability. Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. * The function determines the number of characters (n_digits) needed for the string representation by calculating: $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$ $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$. * The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$). * The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits. * In the final iterations of the loop, the code attempts to read data that spans two limbs: C c = (r->tab[pos] >> shift) | (r->tab[pos + 1] << (JS_LIMB_BITS - shift)); * Since the BigInt was only allocated two limbs, the read operation for r->tab[pos + 1] becomes an Out-of-Bounds Read when pos points to the last valid limb (e.g., $pos=1$). This vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to Information Disclosure of sensitive data stored on the heap adjacent to the BigInt object.

The advisory is shared for download at bellard.org. This vulnerability is handled as CVE-2025-62493 since 10/15/2025. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 270726 (Linux Distros Unpatched Vulnerability : CVE-2025-62493), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2025-09-13 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (270726). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• QuickJS

Version

• 0.9.0
• 3b45d15

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion