CVE-2025-62495: 
Linux Debian vulnerability analysis and mitigation

An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size. The vulnerability was discovered and disclosed in October 2025, affecting the QuickJS JavaScript engine's regular expression parsing functionality (NVD).

The vulnerability stems from a type mismatch in buffer size handling. The regular expression bytecode is stored in a DynBuf structure that uses sizet (typically 64-bit unsigned) for its size member, but several functions like reemitopu32 and other internal parsing routines incorrectly cast this value to a signed 32-bit integer. When processing large or complex regular expressions that cause the bytecode size to exceed 2^31 bytes, an integer overflow occurs, resulting in a negative value. The vulnerability has been assigned a CVSS v4.0 Base Score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L (NVD).

The vulnerability leads to out-of-bounds write operations when the negative offset is used in buffer pointer calculations, specifically in functions like reparsedisjunction where the negative size is used to compute an offset for patching jump instructions. This can result in memory corruption and potential arbitrary code execution (NVD).

The vulnerability has been identified and is currently under evaluation for various Linux distributions. For Ubuntu 24.04 LTS, the package is marked as 'Needs evaluation' status (Ubuntu CVE). A fix was released in the QuickJS changelog dated September 13, 2025 (QuickJS Changelog).