Integer Overflow Vulnerability in QuickJS Regular Expression Engine
CVE-2025-62495

7.1HIGH

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62495?

An integer overflow vulnerability exists in the QuickJS regular expression engine's handling of bytecode buffer sizes. When a large or complex regular expression exceeds the positive limits of a signed 32-bit integer, it can cause a wrap-around, resulting in a negative value that is used in offset calculations. This miscalculation allows for out-of-bounds writes, potentially leading to memory corruption or execution of arbitrary code.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434196926

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON

Quickjs

What is CVE-2025-62495?

Affected Version(s)

References

CVSS V4

Timeline

Credit