6 matches found
CVE-2025-62491
The CVE-2025-62491 entry concerns a Use-After-Free (UAF) in the QuickJS engine’s standard library. The vulnerability occurs in js_std_promise_rejection_check when iterating the global rejected_promise_list; during error reporting, rp->reason may be an Error with a custom property getter, and e...
CVE-2025-62494
Summary: CVE-2025-62494 is a type-confusion vulnerability in the QuickJS engine’s string concatenation path. During the + operation, if the left operand is a string, the code converts the right operand to a primitive via JS_ToPrimitiveFree, which can trigger callbacks (toString/valueOf). While th...
CVE-2025-62495
CVE-2025-62495 describes an integer overflow in QuickJS regExp (libregexp). The DynBuf storing regex bytecode uses size_t, but several internal routines cast the DynBuf size_t to a signed int, so very large/complex patterns can exceed 2^31 bytes. The result is a negative value used for offsets (e...
CVE-2025-46688
CVE-2025-46688 affects quickjs-ng up to 0.9.0, with an incorrect size calculation in JS_ReadBigInt for a BigInt that leads to a heap-based buffer overflow. The vulnerability also affects QuickJS prior to 2025-04-26. Connected sources consistently describe the faulty size computation as the root c...
CVE-2025-62490
CVE-2025-62490 affects QuickJS: in js_print_object, during printing of arrays, maps, or sets, the code reads the length and iterates, but printing a value is not side-effect free. An attacker-defined callback during js_print_value could resize or remove items (e.g., in an array or ms->records)...
CVE-2025-62496
The CVE refers to QuickJS: BigInt parsing in js_bigint_from_string. When converting a decimal string with an extremely large number of digits, the code computes n_bits as (n_digits × 27 + 7) / 8. For very large inputs (e.g., tens of millions of digits), this intermediate value overflows a 32-bit ...