Login Sign Up

CVE-2025-46688

5.6 MEDIUM
Buffer Overflow

📋 TL;DR

This vulnerability is a heap-based buffer overflow in QuickJS and quickjs-ng JavaScript engines due to incorrect size calculation in JS_ReadBigInt for BigInt values. It affects applications using vulnerable versions of these engines, potentially allowing memory corruption. Both QuickJS before 2025-04-26 and quickjs-ng through 0.9.0 are vulnerable.

💻 Affected Systems

Products:
  • QuickJS
  • quickjs-ng
Versions: QuickJS before 2025-04-26, quickjs-ng through 0.9.0
Operating Systems: All platforms where QuickJS/quickjs-ng runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any application embedding these JavaScript engines is affected when processing untrusted BigInt data

📦 What is this software?

Quickjs by Quickjs Ng

View all CVEs affecting Quickjs →

Quickjs by Quickjs Project

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Application crash or denial of service due to memory corruption

🟢

If Mitigated

Limited impact with proper memory protections and exploit mitigations

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires triggering the vulnerable BigInt parsing code path with crafted input

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QuickJS 2025-04-26 or later, quickjs-ng 0.9.1 or later

Vendor Advisory: https://bellard.org/quickjs/Changelog

Restart Required: Yes

Instructions:

1. Update QuickJS to 2025-04-26 or later from https://bellard.org/quickjs/ 2. Update quickjs-ng to 0.9.1 or later from https://github.com/quickjs-ng/quickjs 3. Rebuild and redeploy any applications using these engines

🔧 Temporary Workarounds

Input validation for BigInt

all

Validate or sanitize BigInt inputs before processing

Memory protection hardening

linux

Enable ASLR, DEP, and other memory protection mechanisms

echo 2 > /proc/sys/kernel/randomize_va_space
sysctl -w kernel.exec-shield=1

🧯 If You Can't Patch

  • Implement strict input validation for BigInt data
  • Isolate QuickJS processes with containerization or sandboxing

🔍 How to Verify

Check if Vulnerable:

Check QuickJS version date or quickjs-ng version number in your application

Check Version:

qjs --version or check embedded library version in your application

Verify Fix Applied:

Verify updated version is being used and test with known safe BigInt inputs

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected termination of QuickJS processes

Network Indicators:

  • Unusual patterns of BigInt data being sent to applications

SIEM Query:

process_name:"qjs" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2025-46688
CVSS v3 Score: 5.6 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
CWE: CWE-131
EPSS Score: 0.03% exploit probability (9.3th percentile)
Published: April 27, 2025
Last Updated: May 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46688, you might also want to check these:

CVE-2024-23621 10.0

A critical buffer overflow vulnerability in IBM Merge Healthcare eFilm Workstation license server al...

Same vulnerability type (CWE-131)
CVE-2021-0254 9.8

This is a critical buffer overflow vulnerability in Juniper Junos OS overlayd service that handles V...

Same vulnerability type (CWE-131)
CVE-2025-1861 9.8

This CVE describes a buffer size limitation vulnerability in PHP's HTTP redirect parsing. When PHP p...

Same vulnerability type (CWE-131)