QuickJS Use-After-Free Vulnerability in Object Printing Functions

A use-after-free vulnerability has been identified in QuickJS within the 'js_print_object' function. This issue arises when the function prints arrays, maps, or sets. The vulnerability occurs because the printing process is not side-effect free; an attacker-defined callback can be executed during the value printing, potentially modifying the data structure and causing an out-of-bounds access. This exploitation leads to a use-after-free condition, which can be manipulated to execute arbitrary code. The vulnerability was found in QuickJS version 2025-09-13.

Impact

Exploitation of this vulnerability causes a heap-use-after-free condition, which can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced using the AddressSanitizer (ASan) build of the QuickJS binary. For the array case, create an array and add an error object with a getter that resizes the array. When the array is printed, the resizing causes a use-after-free error. For the map case, add an error object to a map with a getter that deletes a map entry, causing a similar use-after-free error when the map is printed. The object shape case involves adding properties to an object through an error object's getter, which can also lead to a use-after-free error when the object is printed.

Remediation

Users can update to QuickJS version 2025-09-13, where this vulnerability has been fixed.