A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
  *  The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
  *  The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
  *  If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
  *  The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
  *  Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
  *  Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
                
            Metrics
Affected Vendors & Products
References
        History
                    Tue, 21 Oct 2025 09:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Quickjs-ng Quickjs-ng quickjs | |
| Vendors & Products | Quickjs-ng Quickjs-ng quickjs | 
Thu, 16 Oct 2025 18:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Thu, 16 Oct 2025 16:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list). * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop. * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason). * If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process. * The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed. * Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list. * Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition. | |
| Title | Use-after-free in js_std_promise_rejection_check in QuickJS | |
| Weaknesses | CWE-416 | |
| References |  | |
| Metrics | cvssV4_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: Google
Published: 2025-10-16T15:51:24.238Z
Updated: 2025-10-16T18:04:16.529Z
Reserved: 2025-10-15T08:47:41.878Z
Link: CVE-2025-62491
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-10-16T18:04:10.405Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-10-16T16:15:39.470
Modified: 2025-10-21T19:31:50.020
Link: CVE-2025-62491
 Redhat
                        Redhat
                    No data.