CVE-2025-62495

Name of the Vulnerable Software and Affected Versions QuickJS versions (affected versions not specified)

Description An integer overflow exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size. The regular expression bytecode size is stored as an unsigned type, but several functions incorrectly cast this value into a signed integer. When the bytecode size exceeds the maximum positive value for a signed 32-bit integer, the size wraps around, resulting in a negative integer. This negative value is then used in offset calculations, leading to an out-of-bounds write. The issue occurs when parsing a large or complex regular expression, such as those generated by a recursive pattern. Specifically, functions like re emit op u32 and re parse disjunction are involved in the incorrect casting and offset calculations. The vulnerable parameter is pos used in offset calculations.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.