Suggestions search

All statuses

Filter by:

With package: quickjs-ng

Found 3 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-3979

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 1 month ago

quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.

References

VDB-350414 | quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free vdb-entrytechnical-description
VDB-350414 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #769600 | quickjs-ng QuickJS 0.12.1 Use-After-Free third-party-advisory
https://github.com/quickjs-ng/quickjs/issues/1368 issue-tracking
https://github.com/quickjs-ng/quickjs/pull/1370 patchissue-tracking
https://github.com/quickjs-ng/quickjs/issues/1368#issue-4004680962 exploitissue-tracking
https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92… patch
https://github.com/quickjs-ng/quickjs/ product

Affected products

quickjs

==0.12.1
==0.12.0

Matching in nixpkgs

pkgs.quickjs

Small and embeddable Javascript engine

nixos-unstable 2025-09-13-2
- nixpkgs-unstable 2025-09-13-2
- nixos-unstable-small 2025-09-13-2
nixos-25.11 2025-09-13-2
- nixos-25.11-small 2025-09-13-2
- nixpkgs-25.11-darwin 2025-09-13-2

pkgs.quickjs-ng

Mighty JavaScript engine

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0
nixos-25.11 0.11.0
- nixos-25.11-small 0.11.0
- nixpkgs-25.11-darwin 0.11.0

pkgs.python312Packages.quickjs

Python wrapper around the quickjs C library

nixos-25.11 1.19.4
- nixos-25.11-small 1.19.4
- nixpkgs-25.11-darwin 1.19.4

pkgs.python313Packages.quickjs

Python wrapper around the quickjs C library

nixos-unstable 1.19.4
- nixpkgs-unstable 1.19.4
- nixos-unstable-small 1.19.4
nixos-25.11 1.19.4
- nixos-25.11-small 1.19.4
- nixpkgs-25.11-darwin 1.19.4

pkgs.python314Packages.quickjs

Python wrapper around the quickjs C library

nixos-unstable 1.19.4
- nixpkgs-unstable 1.19.4
- nixos-unstable-small 1.19.4

pkgs.haskellPackages.mquickjs-hs

Wrapper for the Micro QuickJS JavaScript Engine

nixos-unstable 0.1.2.4
- nixpkgs-unstable 0.1.2.4
- nixos-unstable-small 0.1.2.4

pkgs.python312Packages.llm-tools-quickjs

JavaScript execution as a tool for LLM

nixos-25.11 0.1
- nixos-25.11-small 0.1
- nixpkgs-25.11-darwin 0.1

pkgs.python313Packages.llm-tools-quickjs

JavaScript execution as a tool for LLM

nixos-unstable 0.1
- nixpkgs-unstable 0.1
- nixos-unstable-small 0.1
nixos-25.11 0.1
- nixos-25.11-small 0.1
- nixpkgs-25.11-darwin 0.1

pkgs.python314Packages.llm-tools-quickjs

JavaScript execution as a tool for LLM

nixos-unstable 0.1
- nixpkgs-unstable 0.1
- nixos-unstable-small 0.1

Package maintainers

@stesie Stefan Siegl <stesie@brokenpipe.de>
@philiptaron Philip Taron <philip.taron@gmail.com>

Untriaged

Permalink CVE-2026-1145

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months, 4 weeks ago

quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

References

VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow vdb-entrytechnical-description
VDB-341738 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow third-party-advisory
https://github.com/quickjs-ng/quickjs/issues/1305 issue-tracking
https://github.com/quickjs-ng/quickjs/pull/1306 issue-tracking
https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372 exploitissue-tracking
https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de… patch

Affected products

quickjs

==0.9
==0.7
==0.11.0
==0.3
==0.1
==0.4
==0.10
==0.6
==0.5
==0.8
==0.2

Matching in nixpkgs

pkgs.quickjs

Small and embeddable Javascript engine

nixos-unstable 2025-04-26
- nixpkgs-unstable 2025-04-26
- nixos-unstable-small 2025-04-26
nixos-25.11 2025-09-13-2
- nixpkgs-25.11-darwin 2025-09-13-2

pkgs.quickjs-ng

Mighty JavaScript engine

nixos-unstable 0.10.1
- nixpkgs-unstable 0.10.1
- nixos-unstable-small 0.10.1
nixos-25.11 0.11.0
- nixpkgs-25.11-darwin 0.11.0

pkgs.python312Packages.quickjs

Python wrapper around the quickjs C library

nixos-unstable 1.19.4
- nixpkgs-unstable 1.19.4
- nixos-unstable-small 1.19.4
nixos-25.11 1.19.4
- nixpkgs-25.11-darwin 1.19.4

pkgs.python313Packages.quickjs

Python wrapper around the quickjs C library

nixos-unstable 1.19.4
- nixpkgs-unstable 1.19.4
- nixos-unstable-small 1.19.4
nixos-25.11 1.19.4
- nixpkgs-25.11-darwin 1.19.4

pkgs.python312Packages.llm-tools-quickjs

JavaScript execution as a tool for LLM

nixos-unstable 0.1
- nixpkgs-unstable 0.1
- nixos-unstable-small 0.1
nixos-25.11 0.1
- nixpkgs-25.11-darwin 0.1

pkgs.python313Packages.llm-tools-quickjs

JavaScript execution as a tool for LLM

nixos-unstable 0.1
- nixpkgs-unstable 0.1
- nixos-unstable-small 0.1
nixos-25.11 0.1
- nixpkgs-25.11-darwin 0.1

Package maintainers

@philiptaron Philip Taron <philip.taron@gmail.com>
@stesie Stefan Siegl <stesie@brokenpipe.de>

Untriaged

Permalink CVE-2026-1144

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months, 4 weeks ago

quickjs-ng quickjs Atomics Ops quickjs.c use after free

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.