CVE-2025-62493

Name of the Vulnerable Software and Affected Versions QuickJS (affected versions not specified)

Description An issue exists in the QuickJS engine’s BigInt string conversion logic within the js bigint to string1 function. This is due to an incorrect calculation of the required number of digits, leading to an out-of-bounds read when processing the BigInt structure. The function calculates the number of digits needed for the string representation using a formula that can be inaccurate in certain edge cases, potentially causing the conversion loop to iterate beyond the allocated memory limbs. Specifically, the code attempts to read data from memory beyond the allocated BigInt buffer, which can lead to information disclosure of data stored on the heap. The vulnerability involves reading data from r->tab[pos + 1] when pos points to the last valid limb.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.