Memory Reading Flaw in QuickJS Engine Affecting Multiple Versions
CVE-2025-62493

5.9MEDIUM

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62493?

A flaw exists in the QuickJS engine's string conversion logic for BigInt objects, arising from an inaccurate computation of the required number of digits. This issue can lead to an Out-of-Bounds Read, allowing unauthorized access and potential exposure of sensitive data stored in adjacent memory. Specifically, the logic wrongly calculates the number of digits needed, causing the engine to exceed allocated memory limits during conversion operations. As a result, attackers could exploit this issue to read memory contents that are not intended for access, leading to possible information disclosure surrounding the BigInt object.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434193024

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON