CVE-2025-62490

High CVSS: 8.8

In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.

Vendor

Quickjs Project

Product

Quickjs

CWE

CWE-416

Yayın Tarihi

2025-10-16 16:15:39

Güncelleme

2025-10-30 16:29:11

Source Identifier

cve-coordination@google.com

KEV Date Added

Kategoriler

CWE-416 Quickjs HIGH Quickjs Project 2025

Referanslar

https://bellard.org/quickjs/Changelog https://issuetracker.google.com/434196651

Benzer Kayıtlar

High

CVE-2025-62495

An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent rep…

High

CVE-2025-62496

A vulnerability exists in the QuickJS engine's BigInt string parsing logic (js_bigint_from_string) when attempting to cr…

High

CVE-2025-62491

A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list…

Medium

CVE-2025-62492

A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation o…

Medium

CVE-2025-62493

A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect…

High

CVE-2025-62494

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.…