CVE-2025-62494

Oct. 16, 2025, 4:15 p.m.

7.1
High

Description

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The code first checks if the left-hand operand is a string. * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf). * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array). * The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string. This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.

Product(s) Impacted

Vendor Product Versions
Quickjs
  • Quickjs
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-704
Incorrect Type Conversion or Cast
The product does not correctly convert an object, resource, or structure from one type to a different type.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a quickjs quickjs / / / / / / / /

References

https://bellard.org/quickjs/Changelog
https://issuetracker.google.com/434193023

Tags

cve-coordination@google.com
CWE-704
2025-10-16
CVE-2025-62494

CVSS Score

7.1 / 10

CVSS Data - 4.0

  • Attack Vector: ADJACENT
  • Attack Complexity: HIGH
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Oct. 16, 2025, 4:15 p.m.
Last Modified: Oct. 16, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve-coordination@google.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.