What is the CVSS score of CVE-2025-46688?

CVE-2025-46688 has a CVSS 3.1 base score of 5.6 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Quickjs are affected by CVE-2025-46688?

Organizations using quickjs-ng through 0.9.0 should be aware of moderate risk from CVE-2025-46688 rated CVSS 5.6. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-46688?

Yes, a public proof-of-concept exploit is available for CVE-2025-46688. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-46688?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Quickjs CVE-2025-46688

MEDIUM

Incorrect Calculation of Buffer Size (CWE-131)

2025-04-27 cve@mitre.org

Buffer Overflow Quickjs

5.6

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.6 MEDIUM

AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:38 vuln.today

Patch released

Mar 28, 2026 - 18:38 nvd

Patch available

PoC Detected

May 30, 2025 - 16:29 vuln.today

Public exploit code

CVE Published

Apr 27, 2025 - 20:15 nvd

MEDIUM 5.6

DescriptionCVE.org

quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.

AnalysisAI

quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-131. quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected. Affected products include: Quickjs-Ng Quickjs, Quickjs Project Quickjs. Version information: through 0.9.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-46688 vulnerability details – vuln.today

Back