CVE-2025-62495
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-191
Subdesbordamiento de entero
Fecha de publicación:
16/10/2025
Última modificación:
29/10/2025
Descripción
*** Pendiente de traducción *** An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.<br />
<br />
* The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}\_\text{t}$ (an unsigned type, typically 64-bit) for its size member.<br />
<br />
<br />
* However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}\_\text{t}$ value into a signed int (typically 32-bit).<br />
<br />
<br />
* When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).<br />
<br />
<br />
* This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.<br />
<br />
<br />
* This negative offset is then incorrectly added to the buffer pointer (s->byte\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:<br />
<br />
put_u32(s->byte_code.buf + pos, len);
Impacto
Puntuación base 4.0
7.10
Gravedad 4.0
ALTA
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:* | 2025-09-13 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página