Integer Overflow Vulnerability in QuickJS Engine's BigInt Parsing Logic
CVE-2025-62496

7.1HIGH

Key Information:

Vendor

Quickjs

Status
Quickjs
Vendor
CVE Published:
16 October 2025

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2025-62496?

A vulnerability in the QuickJS engine's BigInt string parsing logic can lead to integer overflow when processing extremely large digit strings. The issue arises in the js_bigint_from_string function, where the calculation of bits necessary for storage can exceed the limits of a signed 32-bit integer. This results in an improper estimation of the number of memory 'limbs' required for the BigInt object. Consequently, the actual memory allocation may be insufficient, leading to a Heap Out-of-Bounds Write when the engine attempts to write data into the allocated structure. This poses significant security risks as it can be exploited to manipulate memory, potentially leading to arbitrary code execution.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

News Articles

favicon imagewiz.io

CVE-2025-62496 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-62496 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

References

https://bellard.org/quickjs/Changelog
https://issuetracker.google.com/434193016

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐Ÿ“ฐ

    First article discovered by wiz.io

  • Vulnerability published

  • Vulnerability Reserved

Credit

Google Big Sleep
JSON
.