CVE-2025-62493
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-125
Lectura fuera de límites
Fecha de publicación:
16/10/2025
Última modificación:
29/10/2025
Descripción
*** Pendiente de traducción *** A vulnerability exists in the QuickJS engine&#39;s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.<br />
<br />
* The function determines the number of characters (n_digits) needed for the string representation by calculating:<br />
<br />
$$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$<br />
<br />
$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$.<br />
<br />
<br />
* The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$).<br />
<br />
<br />
* The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.<br />
<br />
<br />
* In the final iterations of the loop, the code attempts to read data that spans two limbs:<br />
<br />
C<br />
<br />
<br />
<br />
c = (r->tab[pos] >> shift) | (r->tab[pos + 1]
Impacto
Puntuación base 4.0
5.90
Gravedad 4.0
MEDIA
Puntuación base 3.x
6.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:* | 2025-09-13 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página