CVE-2025-69653
Assertion Failure in QuickJS gc_decref_child Causes DoS
Publication date: 2026-03-06
Last updated on: 2026-03-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bellard | quickjs | to 2025-12-11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-69653 is a vulnerability in QuickJS, a JavaScript interpreter, that occurs when running the interpreter with the "-m" option on a specially crafted input module.'}, {'type': 'paragraph', 'content': 'The vulnerability triggers an internal assertion failure in the garbage collector function gc_decref_child, where the reference count of a child object is decremented below zero, causing the assertion p->ref_count > 0 to fail.'}, {'type': 'paragraph', 'content': 'This leads to the program aborting with a SIGABRT signal during garbage collection, resulting in a denial-of-service condition.'}, {'type': 'paragraph', 'content': 'The root cause is improper memory management in the garbage collector during module evaluation, specifically a use-after-free or invalid reference count decrement.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can cause the QuickJS interpreter to abort unexpectedly when processing maliciously crafted JavaScript modules with the "-m" option.'}, {'type': 'paragraph', 'content': 'The immediate impact is a denial-of-service (DoS), where the interpreter crashes and stops functioning, potentially disrupting applications or services relying on QuickJS for JavaScript execution.'}, {'type': 'paragraph', 'content': 'If QuickJS is embedded in larger systems or used in environments where availability is critical, this crash could lead to system instability or downtime.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by running the QuickJS interpreter (qjs) with the "-m" option on a specially crafted input module that triggers the internal garbage collector assertion failure.'}, {'type': 'paragraph', 'content': 'A practical detection method is to execute the provided proof-of-concept (PoC) input file using the command:'}, {'type': 'list_item', 'content': './qjs -m <PoC file>'}, {'type': 'paragraph', 'content': 'If the vulnerability is present, the qjs process will abort with a SIGABRT signal due to an internal assertion failure in the garbage collector.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know