CVE-2025-69654
Received Received - Intake
Out-of-Memory Denial of Service in QuickJS Interpreter

Publication date: 2026-03-06

Last updated on: 2026-03-12

Assigner: MITRE

Description
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-03-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-69654
EUVD
EUVD-2025-208350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bellard quickjs to 2025-12-11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2025-69654 is a vulnerability in the QuickJS JavaScript engine where running the `qjs` interpreter with a low memory limit on a specially crafted JavaScript input causes an internal assertion failure during runtime cleanup.'}, {'type': 'paragraph', 'content': "When the engine encounters an out-of-memory (OOM) condition, it correctly reports an error, but then it aborts unexpectedly due to a failed assertion in the garbage collector cleanup function `JS_FreeRuntime`. This happens because the garbage collector's object list is not fully released, leading to a crash instead of a clean exit."}] [1]


How can this vulnerability impact me? :

This vulnerability can cause the QuickJS interpreter to crash unexpectedly when processing certain JavaScript inputs under low memory conditions.

The crash results in a denial of service (DoS) because the interpreter aborts with a SIGABRT signal after detecting the out-of-memory condition, preventing normal operation or execution of scripts.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the QuickJS interpreter (`qjs`) with a low memory limit on a crafted JavaScript input file that triggers the issue.

  • Use the command `qjs -m --memory-limit 1M <crafted_input.js>` where `<crafted_input.js>` is a specially crafted JavaScript file designed to cause the out-of-memory condition and subsequent assertion failure.
  • Observe if the interpreter reports an `InternalError: out of memory` followed by an abort with a SIGABRT signal due to an assertion failure in `JS_FreeRuntime`.

Debugging tools like GDB can be used to confirm the crash location, which occurs at line 2036 in `quickjs.c` within the `JS_FreeRuntime` function.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, update the QuickJS interpreter to a version that includes the fix committed on 2025-12-11 (commit fcd33c1afa7b3028531f53cd1190a3877454f6b3).

Avoid running the `qjs` interpreter with very low memory limits when processing untrusted or crafted JavaScript inputs.

Monitor and restrict the use of the `-m` option with low memory limits in environments where denial of service could impact system availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart