QuickJS Engine Floating-Point Precision Error Vulnerability in TypedArray.prototype.indexOf()

A vulnerability exists in the QuickJS engine's implementation of TypedArray.prototype.indexOf() due to floating-point arithmetic precision errors. This issue arises when a negative fromIndex argument is provided. The fromIndex is calculated relative to the end of the array, and if the negative value is extremely small, it can lead to a loss of precision. As a result, the search function may read array elements from an out-of-bounds index, causing a heap out-of-bounds read. This read can potentially disclose adjacent memory contents, depending on the execution environment.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to an out-of-bounds read of one element immediately following the buffer. This can result in information disclosure of adjacent memory contents, depending on the execution environment.

Reproduction

The vulnerability can be reproduced using the AddressSanitizer (ASan) build of the QuickJS binary. The issue occurs when the TypedArray.prototype.lastIndexOf() method is called with a negative fromIndex argument that is extremely small, such as -1e-20. The ASan log will indicate a heap-buffer-overflow error, confirming the exploitation of the vulnerability.

Remediation

This vulnerability has been fixed in the QuickJS 2025-09-13 release.