CVE-2025-69654
Analyzed Analyzed - Analysis Complete
Out-of-Memory Denial of Service in QuickJS Interpreter

Publication date: 2026-03-06

Last updated on: 2026-06-02

Assigner: MITRE

Description
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69654
EUVD
EUVD-2025-208350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quickjs_project quickjs From 2025-09-13 (inc) to 2025-12-11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by running the QuickJS interpreter (`qjs`) with a low memory limit on a crafted JavaScript input file that triggers the issue.

  • Use the command `qjs -m --memory-limit 1M <crafted_input.js>` where `<crafted_input.js>` is a specially crafted JavaScript file designed to cause the out-of-memory condition and subsequent assertion failure.
  • Observe if the interpreter reports an `InternalError: out of memory` followed by an abort with a SIGABRT signal due to an assertion failure in `JS_FreeRuntime`.

Debugging tools like GDB can be used to confirm the crash location, which occurs at line 2036 in `quickjs.c` within the `JS_FreeRuntime` function.

Mitigation Strategies

To mitigate this vulnerability immediately, update the QuickJS interpreter to a version that includes the fix committed on 2025-12-11 (commit fcd33c1afa7b3028531f53cd1190a3877454f6b3).

Avoid running the `qjs` interpreter with very low memory limits when processing untrusted or crafted JavaScript inputs.

Monitor and restrict the use of the `-m` option with low memory limits in environments where denial of service could impact system availability.

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-69654 is a vulnerability in the QuickJS JavaScript engine where running the `qjs` interpreter with a low memory limit on a specially crafted JavaScript input causes an internal assertion failure during runtime cleanup.'}, {'type': 'paragraph', 'content': "When the engine encounters an out-of-memory (OOM) condition, it correctly reports an error, but then it aborts unexpectedly due to a failed assertion in the garbage collector cleanup function `JS_FreeRuntime`. This happens because the garbage collector's object list is not fully released, leading to a crash instead of a clean exit."}] [1]

Impact Analysis

This vulnerability can cause the QuickJS interpreter to crash unexpectedly when processing certain JavaScript inputs under low memory conditions.

The crash results in a denial of service (DoS) because the interpreter aborts with a SIGABRT signal after detecting the out-of-memory condition, preventing normal operation or execution of scripts.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69654. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart