CVE-2025-46688

quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*
cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:*

History

30 May 2025, 16:29

Type Values Removed Values Added
References () https://bellard.org/quickjs/Changelog - () https://bellard.org/quickjs/Changelog - Product
References () https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a - () https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a - Patch
References () https://github.com/bellard/quickjs/issues/399 - () https://github.com/bellard/quickjs/issues/399 - Exploit, Third Party Advisory
References () https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465 - () https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465 - Patch
References () https://github.com/quickjs-ng/quickjs/issues/1018 - () https://github.com/quickjs-ng/quickjs/issues/1018 - Third Party Advisory
References () https://github.com/quickjs-ng/quickjs/pull/1020 - () https://github.com/quickjs-ng/quickjs/pull/1020 - Patch
First Time Quickjs Project quickjs
Quickjs Project
Quickjs-ng
Quickjs-ng quickjs
CPE cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*
cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:*

28 Apr 2025, 17:15

Type Values Removed Values Added
Summary
  • (es) Las versiones quickjs-ng hasta la 0.9.0 tienen un cálculo de tamaño incorrecto en JS_ReadBigInt para un BigInt, lo que provoca un desbordamiento de búfer basado en el montón. Las versiones QuickJS anteriores al 26/04/2025 también se ven afectadas.
References () https://github.com/quickjs-ng/quickjs/issues/1018 - () https://github.com/quickjs-ng/quickjs/issues/1018 -

27 Apr 2025, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-04-27 20:15

Updated : 2025-05-30 16:29


NVD link : CVE-2025-46688

Mitre link : CVE-2025-46688

CVE.ORG link : CVE-2025-46688


JSON object : View

Products Affected

quickjs-ng

  • quickjs

quickjs_project

  • quickjs
CWE
CWE-131

Incorrect Calculation of Buffer Size