CVE DATABASE / CVE-2025-46687
CVE-2025-46687
CVSS 5.6 · MEDIUM
Summary
quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
CVSS 3.1 breakdown
| Base score | 5.6 (MEDIUM) |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |
| Attack vector | LOCAL |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | CHANGED |
| Confidentiality | LOW |
| Integrity | LOW |
| Availability | LOW |
Weakness type (CWE)
Affected products
Bellard quickjsQuickjs-ng quickjs
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://bellard.org/quickjs/Changelog
- https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a
- https://github.com/bellard/quickjs/issues/399
- https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465
- https://github.com/quickjs-ng/quickjs/issues/1018
- https://github.com/quickjs-ng/quickjs/pull/1020
Data: NIST NVD. NVD last modified 2026-01-14. Always verify against the vendor advisory before acting.