Use-After-Free Vulnerability in QuickJS Affects Multiple Array and Object Operations
CVE-2025-62490

8.8HIGH

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62490?

In QuickJS, a vulnerability exists in the js_print_object function where printing an array can lead to a use-after-free condition. Initially, the function retrieves the array length and iterates through it; however, if an attacker-defined callback is executed during the js_print_value process, it may resize the array, causing the iteration index to exceed its bounds. Additionally, a similar issue arises in map or set object printing, as elements can be removed from the ms->records list during js_print_value calls, creating unexpected behaviors and potential exploitation scenarios.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434196651

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON

Quickjs

What is CVE-2025-62490?

Affected Version(s)

References

CVSS V4

Timeline

Credit