CVE-2025-46687 | THREATINT

Description

quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

PUBLISHED Reserved 2025-04-27 | Published 2025-04-27 | Updated 2025-04-28 | Assigner mitre

MEDIUM: 5.6CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status

unaffected

Any version before 2025-04-26

affected

References

github.com/quickjs-ng/quickjs/issues/1018

github.com/quickjs-ng/quickjs/pull/1020

github.com/...ommit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a

github.com/...ommit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465

github.com/bellard/quickjs/issues/399

bellard.org/quickjs/Changelog

cve.org (CVE-2025-46687)

nvd.nist.gov (CVE-2025-46687)

Download JSON