Use-After-Free Vulnerability in QuickJS Engine Standard Library
CVE-2025-62491

8.8HIGH

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62491?

A Use-After-Free vulnerability has been identified within the QuickJS engine's standard library during the management of unhandled rejected promises. This flaw occurs when the js_std_promise_rejection_check function iterates through the rejected_promise_list to handle unreported promise rejections. When the rejection reason is an Error object with a custom property getter, this getter can execute JavaScript code, including a call to catch() on the same rejection being processed. This leads to the internal removal and freeing of the promise entry from the rejection list, while the iteration continues using freed memory. This results in a potential exploit allowing attackers to execute arbitrary code or manipulate memory unexpectedly.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434195203

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON

Quickjs

What is CVE-2025-62491?

Affected Version(s)

References

CVSS V4

Timeline

Credit