bellard/quickjs

bellard/quickjs

Releases0

Stars10.7K

Public repository of the QuickJS Javascript Engine.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-69654 ↗	Mar 6, 2026Friday, 6 March 2026, 20:16	7.5 HIGH	—
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
CVE-2025-69653 ↗	Mar 6, 2026Friday, 6 March 2026, 19:16	6.5 MEDIUM	—
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service.
CVE-2025-12745 ↗	Nov 5, 2025Wednesday, 5 November 2025, 19:15	5.3 MEDIUM	4.3 MEDIUM
A weakness has been identified in QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c. This affects the function js_array_buffer_slice of the file quickjs.c. This manipulation causes buffer over-read. The attack is restricted to local execution. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery Patch name: c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea. To fix this issue, it is recommended to deploy a patch.
CVE-2025-46687 ↗	Apr 27, 2025Sunday, 27 April 2025, 20:15	5.6 MEDIUM	—
quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
CVE-2025-46688 ↗	Apr 27, 2025Sunday, 27 April 2025, 20:15	5.6 MEDIUM	—
quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
CVE-2024-33263 ↗	May 14, 2024Tuesday, 14 May 2024, 15:37	4 MEDIUM	—
QuickJS commit 3b45d15 was discovered to contain an Assertion Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c.
CVE-2023-48183 ↗	Apr 23, 2024Tuesday, 23 April 2024, 07:15	7.5 HIGH	—
QuickJS before c4cdd61 has a build_for_in_iterator NULL pointer dereference because of an erroneous lexical scope of "this" with eval.
CVE-2023-48184 ↗	Apr 23, 2024Tuesday, 23 April 2024, 07:15	3.9 LOW	—
QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.
CVE-2023-31922 ↗	May 12, 2023Friday, 12 May 2023, 14:15	7.5 HIGH	—
QuickJS commit 2788d71 was discovered to contain a stack-overflow via the component js_proxy_isArray at quickjs.c.