UBUNTU-CVE-2025-62495

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-62495

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62495.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-62495

Upstream

CVE-2025-62495

Published

2025-10-16T16:15:00Z

Modified

2026-05-20T16:23:39.267695575Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVSS Calculator
8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size. * The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}_\text{t}$ (an unsigned type, typically 64-bit) for its size member. * However, several functions, such as reemitopu32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}_\text{t}$ value into a signed int (typically 32-bit). * When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow). * This negative value is subsequently used in offset calculations. For example, within functions like reparsedisjunction, the negative size is used to compute an offset (pos) for patching a jump instruction. * This negative offset is then incorrectly added to the buffer pointer (s->byte_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below: putu32(s->byte_code.buf + pos, len);

References

Affected packages

Ubuntu:Pro:24.04:LTS / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2021.*

2021.03.27-1

2021.03.27-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libquickjs",
            "binary_version": "2021.03.27-1ubuntu0.1~esm1"
        },
        {
            "binary_name": "quickjs",
            "binary_version": "2021.03.27-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62495.json"

Ubuntu:25.10 / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.01.13-5

2025.*

2025.04.26-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libquickjs",
            "binary_version": "2025.04.26-1"
        },
        {
            "binary_name": "quickjs",
            "binary_version": "2025.04.26-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62495.json"

Ubuntu:26.04:LTS / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2025.*

2025.04.26-1

2025.04.26-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libquickjs",
            "binary_version": "2025.04.26-1build1"
        },
        {
            "binary_name": "quickjs",
            "binary_version": "2025.04.26-1build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62495.json"