333 matches found
CVE-2025-62494
A type confusion vulnerability exists in the handling of the string addition + operation within the QuickJS engine. The code first checks if the left-hand operand is a string. It then attempts to convert the right-hand operand to a primitive value using JSToPrimitiveFree. This conversion can...
CVE-2025-62494 Type confusion in string addition in QuickJS
A type confusion vulnerability exists in the handling of the string addition + operation within the QuickJS engine. The code first checks if the left-hand operand is a string. It then attempts to convert the right-hand operand to a primitive value using JSToPrimitiveFree. This conversion can...
CVE-2025-62494
Summary: CVE-2025-62494 is a type-confusion vulnerability in the QuickJS engine’s string concatenation path. During the + operation, if the left operand is a string, the code converts the right operand to a primitive via JS_ToPrimitiveFree, which can trigger callbacks (toString/valueOf). While th...
CVE-2025-62493
A vulnerability exists in the QuickJS engine's BigInt string conversion logic jsbiginttostring1 due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. The function determines the number of characters ndigits...
CVE-2025-62493
A vulnerability exists in the QuickJS engine's BigInt string conversion logic jsbiginttostring1 due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. The function determines the number of characters ndigits...
CVE-2025-62493 Heap out-of-bounds read in js_bigint_to_string1 in QuickJS
A vulnerability exists in the QuickJS engine's BigInt string conversion logic jsbiginttostring1 due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. The function determines the number of characters ndigits...
CVE-2025-62493 Heap out-of-bounds read in js_bigint_to_string1 in QuickJS
A vulnerability exists in the QuickJS engine's BigInt string conversion logic jsbiginttostring1 due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. The function determines the number of characters ndigits...
CVE-2025-62493
CVE-2025-62493 affects the QuickJS engine, specifically the BigInt string conversion path (js_bigint_to_string1). The root cause is an off-by-one error in the calculation of the number of digits (n_digits) needed for the string representation, which can cause memory reads beyond the allocated Big...
CVE-2025-62492
CVE-2025-62492 is a vulnerability in the QuickJS engine affecting the implementation of TypedArray.prototype.indexOf(). When a negative fromIndex is supplied, the calculation d_new = d + len can suffer floating-point precision loss, producing k = len. The search then reads starting at index len, ...
CVE-2025-62492 Heap out-of-bounds read in js_typed_array_indexOf in QuickJS
A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf when a negative fromIndex argument is supplied. The fromIndex argument read as a double variable, $d$ is used to calculate the starting position f...
CVE-2025-62492 Heap out-of-bounds read in js_typed_array_indexOf in QuickJS
A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf when a negative fromIndex argument is supplied. The fromIndex argument read as a double variable, $d$ is used to calculate the starting position f...
CVE-2025-62492
A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf when a negative fromIndex argument is supplied. The fromIndex argument read as a double variable, $d$ is used to calculate the starting position f...
CVE-2025-62491 Use-after-free in js_std_promise_rejection_check in QuickJS
A Use-After-Free UAF vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises ts-rejectedpromiselist. The function jsstdpromiserejectioncheck attempts to iterate over the rejectedpromiselist to report unhandled rejections usi...
CVE-2025-62491
The CVE-2025-62491 entry concerns a Use-After-Free (UAF) in the QuickJS engine’s standard library. The vulnerability occurs in js_std_promise_rejection_check when iterating the global rejected_promise_list; during error reporting, rp->reason may be an Error with a custom property getter, and e...
CVE-2025-62491
A Use-After-Free UAF vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises ts-rejectedpromiselist. The function jsstdpromiserejectioncheck attempts to iterate over the rejectedpromiselist to report unhandled rejections usi...
CVE-2025-62491
A Use-After-Free UAF vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises ts-rejectedpromiselist. The function jsstdpromiserejectioncheck attempts to iterate over the rejectedpromiselist to report unhandled rejections usi...
CVE-2025-62491 Use-after-free in js_std_promise_rejection_check in QuickJS
A Use-After-Free UAF vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises ts-rejectedpromiselist. The function jsstdpromiserejectioncheck attempts to iterate over the rejectedpromiselist to report unhandled rejections usi...
CVE-2025-62490
CVE-2025-62490 affects QuickJS: in js_print_object, during printing of arrays, maps, or sets, the code reads the length and iterates, but printing a value is not side-effect free. An attacker-defined callback during js_print_value could resize or remove items (e.g., in an array or ms->records)...
CVE-2025-62490 Use-after-free in js_print_object in QuickJS
In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...
CVE-2025-62490
In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...