CVE-2025-62494

Name of the Vulnerable Software and Affected Versions QuickJS (affected versions not specified)

Description A type confusion issue exists in the QuickJS engine related to how the string addition (+) operation is handled. The issue arises because an attacker can manipulate the type of the left-hand operand in memory during a callback triggered when converting the right-hand operand to a primitive value. Specifically, the code checks if the left-hand operand is a string, then attempts to convert the right-hand operand to a primitive value. During this conversion, an attacker can change the left-hand operand’s type from a string to something else, like an object or an array. The code then incorrectly treats the modified left-hand value as a string when calling JS ConcatStringInPlace, leading to a type confusion. This can result in out-of-bounds memory access, potentially causing memory corruption and arbitrary code execution within the QuickJS runtime.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.