Description

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine. * The code first checks if the left-hand operand is a string. * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf). * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array). * The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string. This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.

INFO

Published Date :

2025-10-16T15:51:50.977Z

Last Modified :

2025-10-16T17:46:39.174Z

Source :

Google
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62494 vulnerability.

Vendors Products
Quickjs-ng
  • Quickjs
Quickjs Project
  • Quickjs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62494.

URL Resource
https://bellard.org/quickjs/Changelog cve-icon cve-icon
https://issuetracker.google.com/434193023 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact