CVE-2025-46687

5.6 MEDIUM
Published: April 27, 2025 Modified: January 14, 2026
View on NVD

Description

quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://bellard.org/quickjs/Changelog
Source: cve@mitre.org
Release Notes
https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a
Source: cve@mitre.org
Patch
https://github.com/bellard/quickjs/issues/399
Source: cve@mitre.org
Exploit Issue Tracking Vendor Advisory
https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465
Source: cve@mitre.org
Patch
https://github.com/quickjs-ng/quickjs/issues/1018
Source: cve@mitre.org
Exploit Issue Tracking Vendor Advisory
https://github.com/quickjs-ng/quickjs/pull/1020
Source: cve@mitre.org
Issue Tracking Patch

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.6 / 10.0
EPSS (Exploit Probability)
0.1%
26th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-770

Affected Vendors

quickjs-ng bellard

Related CVEs

CVE-2026-4624 7.3
CVE-2026-4623 7.3
CVE-2026-33308 6.8
CVE-2026-3079 6.5
CVE-2026-33307 7.5