CVE-2025-46687

Published: Apr 27, 2025Modified: Jan 14, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

Affected (2)

Products: Bellard: Quickjs · Quickjs Ng: Quickjs

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Bellard Quickjs	Before 2025-04-26
Quickjs Ng Quickjs	Up to 0.9.0

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (6)

https://bellard.org/quickjs/Changelog

Source: cve@mitre.org

Release Notes

https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a

Source: cve@mitre.org

Patch

https://github.com/bellard/quickjs/issues/399

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465

Source: cve@mitre.org

Patch

https://github.com/quickjs-ng/quickjs/issues/1018

Source: cve@mitre.org

ExploitIssue TrackingVendor Advisory

https://github.com/quickjs-ng/quickjs/pull/1020

Source: cve@mitre.org

Issue TrackingPatch

Timeline

No history available yet.