CVE-2025-69653
Analyzed Analyzed - Analysis Complete
Assertion Failure in QuickJS gc_decref_child Causes DoS

Publication date: 2026-03-06

Last updated on: 2026-06-02

Assigner: MITRE

Description
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69653
EUVD
EUVD-2025-208349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quickjs_project quickjs From 2025-09-13 (inc) to 2025-12-11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-69653 is a vulnerability in QuickJS, a JavaScript interpreter, that occurs when running the interpreter with the "-m" option on a specially crafted input module.'}, {'type': 'paragraph', 'content': 'The vulnerability triggers an internal assertion failure in the garbage collector function gc_decref_child, where the reference count of a child object is decremented below zero, causing the assertion p->ref_count > 0 to fail.'}, {'type': 'paragraph', 'content': 'This leads to the program aborting with a SIGABRT signal during garbage collection, resulting in a denial-of-service condition.'}, {'type': 'paragraph', 'content': 'The root cause is improper memory management in the garbage collector during module evaluation, specifically a use-after-free or invalid reference count decrement.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can cause the QuickJS interpreter to abort unexpectedly when processing maliciously crafted JavaScript modules with the "-m" option.'}, {'type': 'paragraph', 'content': 'The immediate impact is a denial-of-service (DoS), where the interpreter crashes and stops functioning, potentially disrupting applications or services relying on QuickJS for JavaScript execution.'}, {'type': 'paragraph', 'content': 'If QuickJS is embedded in larger systems or used in environments where availability is critical, this crash could lead to system instability or downtime.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by running the QuickJS interpreter (qjs) with the "-m" option on a specially crafted input module that triggers the internal garbage collector assertion failure.'}, {'type': 'paragraph', 'content': 'A practical detection method is to execute the provided proof-of-concept (PoC) input file using the command:'}, {'type': 'list_item', 'content': './qjs -m <PoC file>'}, {'type': 'paragraph', 'content': 'If the vulnerability is present, the qjs process will abort with a SIGABRT signal due to an internal assertion failure in the garbage collector.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart