CVE-2025-62496
Severity CVSS v4.0:
HIGH
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
16/10/2025
Last modified:
28/10/2025
Description
A vulnerability exists in the QuickJS engine&#39;s BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.<br />
<br />
The function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula:<br />
<br />
$$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$<br />
<br />
* For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\text{n\_digits} \times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow.<br />
<br />
<br />
* The resulting n_bits value becomes unexpectedly small or even negative due to this wrap-around.<br />
<br />
<br />
* This flawed n_bits is then used to compute n_limbs, the number of memory "limbs" needed for the BigInt object. Since n_bits is too small, the calculated n_limbs is also significantly underestimated.<br />
<br />
<br />
* The function proceeds to allocate a JSBigInt object using this underestimated n_limbs.<br />
<br />
<br />
* When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r->tab array.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:* | 2025-09-13 (excluding) |
To consult the complete list of CPE names with products and versions, see this page