CVE-2025-46688

MEDIUM

QuickJS <2025-04-26 - Buffer Overflow

Title source: llm

Description

quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

References (6)

[Product] https://bellard.org/quickjs/Changelog

[Patch] https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://github.com/bellard/quickjs/issues/399

[Patch] https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/quickjs-ng/quickjs/issues/1018

[Patch] https://github.com/quickjs-ng/quickjs/pull/1020

Scores

CVSS v3 5.6

EPSS 0.0009

EPSS Percentile 25.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-131

Status published

Products (2)

quickjs-ng/quickjs < 0.9.0

quickjs_project/quickjs < 2025-04-26

Published Apr 27, 2025

Tracked Since Feb 18, 2026