This page lists publicly disclosed CVE vulnerabilities affecting quickjs_project quickjs (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-69654 | A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denia | [email protected] | 7.5 | 0.28% | 2026-03-06 | 2026-06-17 |
| CVE-2025-69653 | A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service. | [email protected] | 6.5 | 0.21% | 2026-03-06 | 2026-06-17 |
| CVE-2025-62496 | A vulnerability exists in the QuickJS engine's BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits. The function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula: $$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$ * For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $( | [email protected] | 7.1 | 0.44% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62495 | An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size. * The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}\_\text{t}$ (an unsigned type, typically 64-bit) for its size member. * However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}\_\text{t}$ value | [email protected] | 7.1 | 0.42% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62494 | A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The code first checks if the left-hand operand is a string. * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf). * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type | [email protected] | 7.1 | 0.47% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62493 | A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. * The function determines the number of characters (n_digits) needed for the string representation by calculating: $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$ $$$$This formula is off-by-one in certain edge | [email protected] | 5.9 | 0.35% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62492 | A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied. * The fromIndex argument (read as a double variable, $d$) is used to calculate the starting position for the search. * If d is negative, the index is calculated relative to the end of the array by adding the array's length (len) to d: $$d_{new} = d + \text{len}$$ * Due to the inher | [email protected] | 5.9 | 0.36% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62491 | A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list). * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop. * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason). * If the promise rejection | [email protected] | 8.8 | 0.37% | 2025-10-16 | 2026-06-17 |
| CVE-2025-62490 | In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements | [email protected] | 8.8 | 0.37% | 2025-10-16 | 2026-06-17 |
| CVE-2025-46688 | quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. | [email protected] | 5.6 | 0.26% | 2025-04-27 | 2026-06-17 |
| CVE-2023-48184 | QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures. | [email protected] | 3.9 | 0.34% | 2024-04-23 | 2026-06-17 |
| CVE-2023-48183 | QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval. | [email protected] | 7.5 | 0.64% | 2024-04-23 | 2026-06-17 |
| CVE-2023-31922 | QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c. | [email protected] | 7.5 | 0.73% | 2023-05-12 | 2026-06-17 |
| CVE-2020-22876 | Buffer Overflow vulnerability in quickjs.c in QuickJS, allows remote attackers to cause denial of service. This issue is resolved in the 2020-07-05 release. | [email protected] | 7.5 | 1.55% | 2021-07-13 | 2026-06-17 |