Buffer Over-read Vulnerability in QuickJS Product by Fabrice Bellard
CVE-2025-12745

4.8MEDIUM

Key Information:

Vendor

Fabrice Bellard

Status
Quickjs
Vendor
CVE Published:
5 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-12745?

A vulnerability has been discovered in QuickJS affecting the function js_array_buffer_slice within the file quickjs.c. This flaw allows for buffer over-read conditions that can be exploited during local execution of code. An exploit for this vulnerability is public, which raises significant concerns for users and developers alike. To mitigate risks associated with this issue, it is essential to apply the recommended patch (c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea) to the affected versions of QuickJS, ensuring that your system is protected against potential exploitation.

Affected Version(s)

QuickJS eb2c89087def1829ed99630cb14b549d7a98408c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-12745 - Proof of Concept

References

https://vuldb.com/?id.331268
vdb-entrytechnical-description
https://vuldb.com/?ctiid.331268
signaturepermissions-required
https://vuldb.com/?submit.678850
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

im-razvan (VulDB User)
im-razvan (VulDB User)
JSON
.
CVE-2025-12745 : Buffer Over-read Vulnerability in QuickJS Product by Fabrice Bellard