CVE-2025-62492 – A floating-point precision error in QuickJS's T... (How to Fix)

Q: What is the severity of CVE-2025-62492?

CVE-2025-62492 has a CVSS score of 6.5 (MEDIUM). A floating-point precision error in QuickJS's TypedArray.prototype.indexOf() allows out-of-bounds memory read when using extremely small negative fromIndex values. This affects any application using the QuickJS JavaScript engine, potentially exposing adjacent memory contents. The vulnerability enables limited information disclosure but not code execution.

📋 TL;DR

A floating-point precision error in QuickJS's TypedArray.prototype.indexOf() allows out-of-bounds memory read when using extremely small negative fromIndex values. This affects any application using the QuickJS JavaScript engine, potentially exposing adjacent memory contents. The vulnerability enables limited information disclosure but not code execution.

💻 Affected Systems

Products:

QuickJS JavaScript Engine

Versions: All versions before the fix (specific version unknown from provided data)

Operating Systems: All platforms running QuickJS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default QuickJS builds when using TypedArray.prototype.indexOf() with negative fromIndex arguments.

📦 What is this software?

Quickjs by Quickjs Project

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive data from adjacent memory buffers, potentially exposing cryptographic keys, authentication tokens, or other application secrets.

🟠

Likely Case

Limited memory leak revealing non-sensitive data from adjacent buffers, possibly causing application instability or crashes.

🟢

If Mitigated

No impact if proper memory isolation and sandboxing prevent access to sensitive adjacent memory regions.

🌐 Internet-Facing: MEDIUM - Exploitation requires attacker control over JavaScript execution, but many web applications use JavaScript engines.

🏢 Internal Only: LOW - Requires local code execution or specific JavaScript execution contexts within applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires precise control over JavaScript input and knowledge of memory layout. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - check QuickJS changelog for fixes to TypedArray.prototype.indexOf()

Vendor Advisory: https://bellard.org/quickjs/Changelog

Restart Required: No

Instructions:

1. Check QuickJS changelog for latest version. 2. Update QuickJS to patched version. 3. Recompile/redeploy applications using QuickJS.

🔧 Temporary Workarounds

Input validation for fromIndex

all

Validate and sanitize fromIndex arguments before passing to TypedArray.prototype.indexOf()

Avoid negative fromIndex values

all

Rewrite code to avoid using negative fromIndex arguments with TypedArray.prototype.indexOf()

🧯 If You Can't Patch

Implement strict input validation for all JavaScript execution
Isolate QuickJS execution in sandboxed environments with memory protection

🔍 How to Verify

Check if Vulnerable:

Test with JavaScript code: new Uint8Array(10).indexOf(0, -1e-20) and check for out-of-bounds behavior

Check Version:

quickjs --version or check build configuration

Verify Fix Applied:

After update, test the same JavaScript code and verify no out-of-bounds access occurs

📡 Detection & Monitoring

Log Indicators:

Memory access violations
Segmentation faults in QuickJS processes
Unexpected application crashes

Network Indicators:

Unusual JavaScript payloads with extremely small negative numbers

SIEM Query:

Process:quickjs AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2025-62492

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.02% exploit probability (5.8th percentile)

Published: October 16, 2025

Last Updated: October 30, 2025

🔗 References

https://bellard.org/quickjs/Changelog Release Notes
https://issuetracker.google.com/434194797 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62492, you might also want to check these: