CVE-2025-46688: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in quickjs-ng through version 0.9.0 and QuickJS before 2025-04-26. The vulnerability (CVE-2025-46688) stems from an incorrect size calculation in the JS_ReadBigInt function when processing BigInt values. The issue has been assigned a CVSS v3.1 base score of 5.6 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD, Wiz).

The vulnerability occurs due to an integer overflow in the LEB128 parsing within the JS_ReadBigInt function. When processing a BigInt value, the function performs an incorrect size calculation that leads to allocating a smaller buffer than needed. Specifically, the issue arises when the LEB128 decoding returns 0xFFFFFFFF, which causes an integer overflow in the subsequent buffer size calculation. This results in writing four bytes beyond the allocated buffer size. The vulnerability is classified as CWE-131 (Incorrect Calculation of Buffer Size) (Wiz, QuickJS Issue).

When exploited, this vulnerability can lead to memory corruption through a heap-based buffer overflow, potentially allowing an attacker to execute arbitrary code or cause program crashes. The impact is somewhat mitigated by the local access requirement and high attack complexity (Wiz).

A fix has been implemented and merged through a pull request that addresses the buffer overflows in the string and BigInt deserializer. Users should upgrade to QuickJS versions after 2025-04-26 or quickjs-ng versions after 0.9.0 (QuickJS PR, QuickJS Changelog).