CVE-2025-12745 – A buffer over-read vulnerability in QuickJS's j... (How to Fix)

Q: What is the severity of CVE-2025-12745?

CVE-2025-12745 has a CVSS score of 5.3 (MEDIUM). A buffer over-read vulnerability in QuickJS's js_array_buffer_slice function allows reading beyond allocated memory boundaries. This affects QuickJS up to commit eb2c89087def1829ed99630cb14b549d7a98408c. The vulnerability requires local execution but could potentially lead to information disclosure or application crashes.

📋 TL;DR

A buffer over-read vulnerability in QuickJS's js_array_buffer_slice function allows reading beyond allocated memory boundaries. This affects QuickJS up to commit eb2c89087def1829ed99630cb14b549d7a98408c. The vulnerability requires local execution but could potentially lead to information disclosure or application crashes.

💻 Affected Systems

Products:

QuickJS JavaScript engine

Versions: All versions up to commit eb2c89087def1829ed99630cb14b549d7a98408c

Operating Systems: All platforms where QuickJS is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application or system using QuickJS JavaScript engine, particularly those processing untrusted JavaScript code.

📦 What is this software?

Quickjs by Bellard

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potential application crash leading to denial of service, or as a stepping stone for further exploitation.

🟠

Likely Case

Application crash or unexpected behavior when processing malicious ArrayBuffer slice operations, potentially exposing limited memory contents.

🟢

If Mitigated

Minimal impact if proper sandboxing and privilege separation are implemented, with crashes contained within the affected process.

🌐 Internet-Facing: LOW - Attack requires local execution, not remotely exploitable.

🏢 Internal Only: MEDIUM - Local attackers or malicious scripts could exploit this to read memory contents or crash applications using QuickJS.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local execution or ability to run JavaScript code in the QuickJS context. Public exploit details are available in the GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea

Vendor Advisory: https://github.com/bellard/quickjs/commit/c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea

Restart Required: Yes

Instructions:

1. Update QuickJS to commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea or later. 2. Rebuild QuickJS from source. 3. Restart any applications using QuickJS. 4. For embedded systems, rebuild and redeploy the entire application.

🔧 Temporary Workarounds

Disable ArrayBuffer.slice functionality

all

Modify QuickJS source to disable or restrict the vulnerable js_array_buffer_slice function

# Requires source code modification - not recommended for production

Sandbox JavaScript execution

linux

Run QuickJS in isolated containers or sandboxes with minimal privileges

docker run --read-only --cap-drop=ALL -v /path/to/scripts:/scripts quickjs-app

🧯 If You Can't Patch

Implement strict input validation for ArrayBuffer operations in application code
Deploy application-level monitoring for abnormal memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check QuickJS commit hash: git log --oneline -1 | grep -q 'eb2c89087def1829ed99630cb14b549d7a98408c' && echo 'Vulnerable'

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify QuickJS is at commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea or later: git log --oneline | grep -q 'c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault logs
Memory access violation errors
Unexpected application crashes

Network Indicators:

None - local exploitation only

SIEM Query:

process.name:"quickjs" AND (event.action:"segmentation_fault" OR event.action:"memory_violation")

📊 Metadata

CVE ID: CVE-2025-12745

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: November 5, 2025

Last Updated: January 8, 2026

🔗 References

https://github.com/bellard/quickjs/commit/c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea Patch
https://github.com/bellard/quickjs/issues/451 Exploit,Issue Tracking
https://github.com/bellard/quickjs/issues/451#issue-3533698042 Exploit,Issue Tracking
https://github.com/bellard/quickjs/issues/451#issuecomment-3481807558 Exploit,Issue Tracking
https://vuldb.com/?ctiid.331268 Permissions Required,VDB Entry
https://vuldb.com/?id.331268 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.678850 Exploit,Third Party Advisory,VDB Entry
https://github.com/bellard/quickjs/issues/451 Exploit,Issue Tracking
https://github.com/bellard/quickjs/issues/451#issue-3533698042 Exploit,Issue Tracking
https://github.com/bellard/quickjs/issues/451#issuecomment-3481807558 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12745, you might also want to check these: