Integer Overflow Vulnerability in QuickJS Engine's BigInt Parsing Logic
CVE-2025-62496

7.1HIGH

Key Information:

Vendor: Quickjs
Status: Quickjs
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-62496?

A vulnerability in the QuickJS engine's BigInt string parsing logic can lead to integer overflow when processing extremely large digit strings. The issue arises in the js_bigint_from_string function, where the calculation of bits necessary for storage can exceed the limits of a signed 32-bit integer. This results in an improper estimation of the number of memory 'limbs' required for the BigInt object. Consequently, the actual memory allocation may be insufficient, leading to a Heap Out-of-Bounds Write when the engine attempts to write data into the allocated structure. This poses significant security risks as it can be exploited to manipulate memory, potentially leading to arbitrary code execution.

Affected Version(s)

QuickJS 2025-04-26 < 2025-09-13

References

https://bellard.org/quickjs/Changelog

https://issuetracker.google.com/434193016

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 15, 2025

Credit

Google Big Sleep

JSON

Quickjs

What is CVE-2025-62496?

Affected Version(s)

References

CVSS V4

Timeline

Credit