CVE-2025-62496: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-62496) exists in the QuickJS engine's BigInt string parsing logic (jsbigintfrom_string) when attempting to create a BigInt from a string with an excessively large number of digits. The vulnerability was discovered and disclosed on October 16, 2025, affecting the QuickJS JavaScript engine (NVD).

The vulnerability stems from an integer overflow in the calculation of required bits for storing BigInt values. The function calculates nbits using the formula (ndigits × 27 + 7) / 8 for base 10 numbers. For large input strings (approximately 79,536,432 digits or more in base 10), the intermediate calculation exceeds the maximum value of a signed 32-bit integer, resulting in an Integer Overflow. The CVSS v4.0 score is 7.1 (HIGH) with vector string CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L (NVD).

When exploited, the vulnerability leads to a Heap Out-of-Bounds Write as the function attempts to write data past the end of the allocated r->tab array due to the underestimated buffer size. This occurs because the flawed nbits value results in an underestimated nlimbs calculation, leading to insufficient memory allocation for the JSBigInt object (NVD).

The vulnerability has been addressed in the QuickJS engine's latest updates, as indicated in the changelog. A new BigInt implementation optimized for small numbers was introduced in the April 26, 2025 release (QuickJS Changelog).