Out-of-Bounds Read Vulnerability in QuickJS Engine Affecting Google Products
CVE-2025-62492

5.9MEDIUM

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62492?

A precision error in floating-point arithmetic within the QuickJS engine's TypedArray.prototype.indexOf() function can lead to an Out-of-Bounds Read. This occurs when a negative fromIndex argument is processed; a small negative value may cause the starting index for element search to be miscalculated. As a result, the engine may attempt to read data beyond the valid bounds of the array, leading to potential information disclosure of sensitive memory contents, contingent upon the execution environment.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434194797

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON