Type Confusion Vulnerability in QuickJS Engine Affecting Multiple Versions
CVE-2025-62494

7.1HIGH

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62494?

A type confusion vulnerability exists in the QuickJS engine's handling of string addition operations. The issue arises when the left-hand operand is verified as a string while the right-hand operand undergoes conversion that can allow an attacker to modify the type of the left operand during execution. This change creates a mismatch that leads to improper handling within the concatenation logic. Such discrepancies may result in out-of-bounds memory access, ultimately exposing systems to memory corruption and potential arbitrary code execution within the QuickJS runtime.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434193023

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON

Quickjs

What is CVE-2025-62494?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.