CVE-2025-62493
Severity CVSS v4.0:
MEDIUM
Type:
CWE-125
Out-of-bounds Read
Publication date:
16/10/2025
Last modified:
29/10/2025
Description
A vulnerability exists in the QuickJS engine&#39;s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.<br />
<br />
* The function determines the number of characters (n_digits) needed for the string representation by calculating:<br />
<br />
$$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$<br />
<br />
$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$.<br />
<br />
<br />
* The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$).<br />
<br />
<br />
* The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.<br />
<br />
<br />
* In the final iterations of the loop, the code attempts to read data that spans two limbs:<br />
<br />
C<br />
<br />
<br />
<br />
c = (r->tab[pos] >> shift) | (r->tab[pos + 1]
Impact
Base Score 4.0
5.90
Severity 4.0
MEDIUM
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:* | 2025-09-13 (excluding) |
To consult the complete list of CPE names with products and versions, see this page