Vulnerability Database

318,275

Total vulnerabilities in the database

CVE-2025-46687

quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for a string, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

Published: Apr 27, 2025
Updated: Jan 15, 2026
CVE: CVE-2025-46687
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.6
AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
bellard / quickjs	-	2025-04-26
quickjs-ng / quickjs	-	0.9.0.x

https://bellard.org/quickjs/Changelog
https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a
https://github.com/bellard/quickjs/issues/399
https://github.com/quickjs-ng/quickjs/commit/28fa43d3ddff2c1ba91b6e3a788b2d7ba82d1465
https://github.com/quickjs-ng/quickjs/issues/1018
https://github.com/quickjs-ng/quickjs/pull/1020

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo