A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.
The code first checks if the left-hand operand is a string.
It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).
During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).
The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.
This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.
The product does not correctly convert an object, resource, or structure from one type to a different type.