CVE-2025-62490: 
Linux Debian vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-62490) was discovered in QuickJS's jsprintobject function. The vulnerability was disclosed on October 16, 2025. The issue affects the array printing functionality in QuickJS, where an attacker-defined callback could manipulate array sizes during value printing operations (NVD).

The vulnerability occurs in two scenarios within the jsprintobject function. First, when printing an array, the function fetches the array length and then iterates over it. Since printing values isn't side-effect free, an attacker-defined callback during jsprintvalue execution could resize the array, causing len1 to become out of bounds. Second, a similar issue exists when printing map or set objects, where elements could be removed from the ms->records list during jsprintvalue calls. The vulnerability has been assigned a CVSS v4.0 score of 8.8 HIGH with the vector string CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L (NVD).

The vulnerability can lead to use-after-free conditions, which could potentially result in code execution or program crashes. The CVSS score indicates high potential impact on both confidentiality and integrity, with lower impact on availability (NVD).

A fix for this vulnerability is documented in the QuickJS changelog for the September 13, 2025 release, which includes improvements to the printing functionality and various bug fixes (QuickJS Changelog).