CVE-2025-62492

Name of the Vulnerable Software and Affected Versions QuickJS (affected versions not specified)

Description An issue exists in the QuickJS engine related to floating-point arithmetic precision errors within the TypedArray.prototype.indexOf() function when a negative fromIndex argument is provided. Specifically, when a very small negative value is used for the fromIndex argument ($d), the addition of this value to the array length (len) can result in a loss of precision, leading to an index calculation that results in len. This causes an out-of-bounds read of one element beyond the array buffer, potentially leading to Information Disclosure of adjacent memory contents. The issue arises because the fromIndex argument, read as a double variable, is used to calculate the starting position for the search.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.