Home > Vulnerability Database > CVE-2025-62490

Mend.io Vulnerability Database

CVE-2025-62490

Date: October 16, 2025

In quickjs, in js_print_object, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during js_print_value, during which the array could get resized and len1 become out of bounds. This results in a use-after-free.A second instance occurs in the same function during printing of a map or set objects. The code iterates over ms->records list, but once again, elements could be removed from the list during js_print_value call.

Severity Score

8.8

Related Resources (4)

Url: https://bellard.org/quickjs/Changelog

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62490

Url: https://issuetracker.google.com/434196651

Url: https://www.mend.io/vulnerability-database/CVE-2025-62490

Severity Score

8.8

Weakness Type (CWE)

Use After Free

CWE-416

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62490

Date: October 16, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?