CVE-2025-62496

Name of the Vulnerable Software and Affected Versions QuickJS (affected versions not specified)

Description A flaw exists in the QuickJS engine’s BigInt string parsing logic within the js bigint from string function when creating a BigInt from a string containing a very large number of digits. The function calculates the required number of bits using a formula that can cause an Integer Overflow for large input strings. This results in an underestimated memory allocation for the BigInt object, leading to a Heap Out-of-Bounds Write when the data is written to the r->tab array. The formula used for calculation is: n bits = (n digits * 27 + 7) / 8 (for radix 10).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.