CVE-2025-12745

low-risk
Published 2025-11-05

A weakness has been identified in QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c. This affects the function js_array_buffer_slice of the file quickjs.c. This manipulation causes buffer over-read. The attack is restricted to local execution. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery Patch name: c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea. To fix this issue, it is recommended to deploy a patch.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Quickjs

Affected Vendors

Bellard

References (10)

Patch https://github.com/bellard/quickjs/commit/c6fe5a98fd3ef3b7064e6e0145dfebfe12449f...
Exploit https://github.com/bellard/quickjs/issues/451
Exploit https://github.com/bellard/quickjs/issues/451#issue-3533698042
Exploit https://github.com/bellard/quickjs/issues/451#issuecomment-3481807558
Permissions Required https://vuldb.com/?ctiid.331268
Third Party Advisory https://vuldb.com/?id.331268
Exploit https://vuldb.com/?submit.678850
Exploit https://github.com/bellard/quickjs/issues/451
Exploit https://github.com/bellard/quickjs/issues/451#issue-3533698042
Exploit https://github.com/bellard/quickjs/issues/451#issuecomment-3481807558
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal