CVE-2025-12745 identifies a buffer over-read vulnerability in the QuickJS JavaScript engine, specifically within the js_array_buffer_slice function in quickjs.c. This flaw allows an attacker with local access and limited privileges to cause the program to read beyond the allocated buffer boundaries, potentially leaking sensitive memory data. The vulnerability arises from improper bounds checking during the slicing operation of ArrayBuffer objects, leading to out-of-bounds memory reads. Exploitation does not require user interaction but does require local code execution privileges, limiting the attack surface primarily to local users or processes. The vulnerability has a CVSS 4.8 (medium) score, reflecting its moderate impact on confidentiality with no direct effect on integrity or availability. QuickJS follows a rolling release model, and a patch identified by commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea addresses this issue. Although no active exploitation has been reported, public exploit code is available, increasing the risk of future attacks. The vulnerability is relevant for environments where QuickJS is embedded or used locally, such as development tools, embedded devices, or local scripting environments.

For European organizations, the primary impact of CVE-2025-12745 is the potential exposure of sensitive information due to buffer over-read, which compromises confidentiality. While the vulnerability does not allow remote exploitation or privilege escalation, local attackers or malicious insiders could exploit it to access memory contents beyond intended boundaries. This could lead to leakage of cryptographic keys, credentials, or other sensitive data held in memory. Organizations relying on QuickJS in embedded systems, IoT devices, or local development environments may face increased risk, especially if local access controls are weak. The vulnerability does not directly affect system availability or integrity, but information disclosure could facilitate further attacks. European critical infrastructure or sectors with stringent data protection requirements (e.g., finance, healthcare) should prioritize patching to prevent data leakage. The medium severity reflects the limited attack vector but non-negligible confidentiality impact.

1. Apply the official patch identified by commit c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea immediately to all affected QuickJS instances. 2. Restrict local access to systems running QuickJS to trusted users only, employing strict access controls and monitoring. 3. Employ memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce exploitation likelihood. 4. Conduct regular code audits and fuzz testing on QuickJS integrations to detect similar memory safety issues proactively. 5. For embedded or IoT devices using QuickJS, ensure secure firmware update mechanisms to deploy patches efficiently. 6. Monitor local system logs and behavior for unusual activity that could indicate exploitation attempts. 7. Educate developers and system administrators about the risks of local vulnerabilities and the importance of patch management. 8. Consider sandboxing or isolating QuickJS execution environments to limit potential damage from local exploits.