CVE-2025-46688HIGH 8.4EPSS p17.2%

CVE-2025-46688CVE-2025-46688

Description

quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 17.2% · 2026-06-19T12:03:05Z
Published2025-04-27
Last modified2025-05-30

Underlying weaknesses· 1

CWE-131

References

  1. https://bellard.org/quickjs/Changelog
  2. https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a
  3. https://github.com/bellard/quickjs/issues/399
  4. https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465
  5. https://github.com/quickjs-ng/quickjs/issues/1018
  6. https://github.com/quickjs-ng/quickjs/pull/1020
  7. https://github.com/quickjs-ng/quickjs/issues/1018

1

TypeTargetConfidenceTier
WeaknessIncorrect Calculation of Buffer Sizecwe-1310%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-1145
CVE
CVE-2026-0822
CVE
CVE-2025-62496
CVE
CVE-2026-0821
CVE
CVE-2025-69654
CVE
CVE-2025-62495
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.