{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-62495","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","state":"PUBLISHED","assignerShortName":"Google","dateReserved":"2025-10-15T08:47:41.878Z","datePublished":"2025-10-16T15:51:58.953Z","dateUpdated":"2025-10-16T17:42:15.865Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://bellard.org/quickjs/","defaultStatus":"unaffected","packageName":"libregexp","product":"QuickJS","vendor":"QuickJS","versions":[{"lessThan":"2025-09-13","status":"affected","version":"2025-04-26","versionType":"date"}]}],"credits":[{"lang":"en","type":"finder","value":"Google Big Sleep"}],"datePublic":"2025-07-24T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An integer overflow vulnerability exists in the QuickJS regular expression engine (<code>libregexp</code>) due to an <b>inconsistent representation of the bytecode buffer size</b>.</p><ol><li><p>The regular expression bytecode is stored in a <code>DynBuf</code> structure, which correctly uses a $\\text{size}\\_\\text{t}$ (an unsigned type, typically 64-bit) for its <code>size</code> member.</p></li><li><p>However, several functions, such as <code>re_emit_op_u32</code> and other internal parsing routines, incorrectly cast or store this <code>DynBuf</code> $\\text{size}\\_\\text{t}$ value into a signed <b>int</b> (typically 32-bit).</p></li><li><p>When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed <b>$2^{31}$ bytes</b> (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a <b>negative integer</b> when stored in the <code>int</code> variable (Integer Overflow).</p></li><li><p>This negative value is subsequently used in offset calculations. For example, within functions like <code>re_parse_disjunction</code>, the negative size is used to compute an offset (<code>pos</code>) for patching a jump instruction.</p></li><li><p>This negative offset is then incorrectly added to the buffer pointer (<code>s-&gt;byte\\_code.buf + pos</code>), leading to an <b>out-of-bounds write</b> on the first line of the snippet below:</p><blockquote><p><code>put_u32(s-&gt;byte_code.buf + pos, len);</code></p></blockquote></li></ol><br>"}],"value":"An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.\n\n  *  The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\\text{size}\\_\\text{t}$ (an unsigned type, typically 64-bit) for its size member.\n\n\n  *  However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\\text{size}\\_\\text{t}$ value into a signed int (typically 32-bit).\n\n\n  *  When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).\n\n\n  *  This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.\n\n\n  *  This negative offset is then incorrectly added to the buffer pointer (s->byte\\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:\n\nput_u32(s->byte_code.buf + pos, len);"}],"impacts":[{"capecId":"CAPEC-175","descriptions":[{"lang":"en","value":"CAPEC-175 Code Inclusion"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"ADJACENT","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"LOW","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-191","description":"CWE-191 Integer Underflow (Wrap or Wraparound)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2025-10-16T15:51:58.953Z"},"references":[{"url":"https://bellard.org/quickjs/Changelog"},{"url":"https://issuetracker.google.com/434196926"}],"source":{"discovery":"UNKNOWN"},"title":"Type confusion in string addition in QuickJS","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-16T17:40:14.439633Z","id":"CVE-2025-62495","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-16T17:42:15.865Z"}}]}}