{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-62494","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","state":"PUBLISHED","assignerShortName":"Google","dateReserved":"2025-10-15T08:47:41.878Z","datePublished":"2025-10-16T15:51:50.977Z","dateUpdated":"2025-10-16T17:46:39.174Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://bellard.org/quickjs/","defaultStatus":"unaffected","packageName":"JS_ConcatStringInPlace","product":"QuickJS","vendor":"QuickJS","versions":[{"lessThan":"2025-09-13","status":"affected","version":"2025-04-26","versionType":"date"}]}],"credits":[{"lang":"en","type":"finder","value":"Google Big Sleep"}],"datePublic":"2025-07-24T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A type confusion vulnerability exists in the handling of the <b>string addition (<code>+</code>) operation</b> within the QuickJS engine.</p><ol><li><p>The code first checks if the <b>left-hand operand</b> is a <b>string</b>.</p></li><li><p>It then attempts to convert the <b>right-hand operand</b> to a primitive value using <code>JS_ToPrimitiveFree</code>. This conversion can trigger a <b>callback</b> (e.g., <code>toString</code> or <code>valueOf</code>).</p></li><li><p>During this callback, an attacker can modify the <b>type</b> of the <b>left-hand operand</b> in memory, changing it from a string to a different type (e.g., an object or an array).</p></li><li><p>The code then proceeds to call <code>JS_ConcatStringInPlace</code>, which still treats the modified left-hand value as a string.</p></li></ol><p>This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a <b>type confusion condition</b>. This can lead to out-of-bounds memory access, potentially resulting in <b>memory corruption</b> and <b>arbitrary code execution</b> in the context of the QuickJS runtime.</p><br>"}],"value":"A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.\n\n  *  The code first checks if the left-hand operand is a string.\n\n\n  *  It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).\n\n\n  *  During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).\n\n\n  *  The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.\n\n\nThis mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime."}],"impacts":[{"capecId":"CAPEC-175","descriptions":[{"lang":"en","value":"CAPEC-175 Code Inclusion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"ADJACENT","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-704","description":"CWE-704 Incorrect Type Conversion or Cast","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2025-10-16T15:51:50.977Z"},"references":[{"url":"https://bellard.org/quickjs/Changelog"},{"url":"https://issuetracker.google.com/434193023"}],"source":{"discovery":"UNKNOWN"},"title":"Type confusion in string addition in QuickJS","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-16T17:46:18.542287Z","id":"CVE-2025-62494","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-16T17:46:39.174Z"}}]}}