{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-62490","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","state":"PUBLISHED","assignerShortName":"Google","dateReserved":"2025-10-15T08:47:41.877Z","datePublished":"2025-10-16T15:51:06.100Z","dateUpdated":"2025-10-16T18:08:20.982Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://bellard.org/quickjs/","defaultStatus":"unaffected","packageName":"js_print_object","product":"QuickJS","vendor":"QuickJS","versions":[{"lessThan":"2025-09-13","status":"affected","version":"2025-04-26","versionType":"date"}]}],"credits":[{"lang":"en","type":"finder","value":"Google Big Sleep"}],"datePublic":"2025-07-24T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: rgb(255, 255, 255);\">In quickjs, in </span><code>js_print_object</code><span style=\"background-color: rgb(255, 255, 255);\">, when printing an array, the function first fetches the array length and then loops over it.&nbsp;</span>The issue is, printing a value is not side-effect free. An attacker-defined callback could run during <code>js_print_value</code>, during which the array could get resized and <code>len1</code>&nbsp;become out of bounds. This results in a use-after-free.<span style=\"background-color: rgb(255, 255, 255);\"><p>A second instance occurs in the same function during printing of a map or set objects. The code iterates over <code>ms-&gt;records</code>&nbsp;list, but once again, elements could be removed from the list during <code>js_print_value</code>&nbsp;call.</p><br></span><br>"}],"value":"In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call."}],"impacts":[{"capecId":"CAPEC-175","descriptions":[{"lang":"en","value":"CAPEC-175 Code Inclusion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"ADJACENT","baseScore":8.8,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-416","description":"CWE-416 Use After Free","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2025-10-16T15:51:06.100Z"},"references":[{"url":"https://bellard.org/quickjs/Changelog"},{"url":"https://issuetracker.google.com/434196651"}],"source":{"discovery":"UNKNOWN"},"title":"Use-after-free in js_print_object in QuickJS","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-16T18:07:46.371137Z","id":"CVE-2025-62490","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-16T18:08:20.982Z"}}]}}