CVE-2025-69654: n/a
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
AI Analysis
Technical Summary
CVE-2025-69654 is a denial-of-service vulnerability in the QuickJS JavaScript engine, specifically in the 2025-09-13 release. The issue arises when a specially crafted JavaScript input is executed using the `-m` command-line option with a low memory limit. Under these conditions, the engine encounters an out-of-memory (OOM) error during execution. Although the engine correctly reports the OOM condition, it subsequently fails during the runtime cleanup phase in the JS_FreeRuntime function. This failure is due to an assertion triggered by the garbage collector's object list not being empty (list_empty(&rt->gc_obj_list) assertion failure). As a result, the interpreter aborts with a SIGABRT signal, causing an abrupt termination of the process. This behavior leads to a denial of service, as the affected QuickJS interpreter instance cannot continue running. The vulnerability does not compromise confidentiality or integrity but severely impacts availability. Exploitation requires no privileges or user interaction and can be triggered remotely if the QuickJS interpreter is exposed. The vulnerability is tracked under CWE-400 (Uncontrolled Resource Consumption). The issue was fixed in a commit dated 2025-12-11 (commit fcd33c1afa7b3028531f53cd1190a3877454f6b3). No public exploits are known at this time, but the CVSS v3.1 base score is 7.5, reflecting high severity due to ease of exploitation and impact on availability.
Potential Impact
The primary impact of CVE-2025-69654 is denial of service, which can disrupt applications or services relying on the QuickJS engine for JavaScript execution. Organizations embedding QuickJS in constrained environments, such as IoT devices, edge computing platforms, or lightweight server-side applications, are particularly at risk. An attacker can remotely trigger the vulnerability without authentication or user interaction, causing the interpreter to abort unexpectedly and potentially leading to service outages or system instability. This could affect critical infrastructure components that depend on QuickJS for scripting or automation, resulting in operational downtime and potential cascading failures. Although no data confidentiality or integrity is compromised, the loss of availability can impact business continuity, user experience, and trust. The vulnerability's ease of exploitation and lack of prerequisites increase the risk of widespread attacks once exploit code becomes available.
Mitigation Recommendations
To mitigate CVE-2025-69654, organizations should immediately update QuickJS to the fixed version released after the 2025-12-11 commit (fcd33c1afa7b3028531f53cd1190a3877454f6b3). If upgrading is not immediately feasible, consider implementing strict input validation and sandboxing to limit the execution of untrusted JavaScript code, especially when using the `-m` option. Monitor resource usage closely and configure memory limits conservatively to avoid low-memory conditions that trigger the vulnerability. Employ runtime monitoring and alerting for abnormal process terminations or SIGABRT signals in systems running QuickJS. For embedded or IoT devices, ensure secure update mechanisms are in place to deploy patches promptly. Additionally, restrict network exposure of services using QuickJS to trusted environments to reduce the attack surface. Finally, maintain incident response plans to quickly address potential denial-of-service incidents related to this vulnerability.
Affected Countries
United States, China, Germany, Japan, South Korea, United Kingdom, France, India, Canada, Australia
CVE-2025-69654: n/a
Description
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-69654 is a denial-of-service vulnerability in the QuickJS JavaScript engine, specifically in the 2025-09-13 release. The issue arises when a specially crafted JavaScript input is executed using the `-m` command-line option with a low memory limit. Under these conditions, the engine encounters an out-of-memory (OOM) error during execution. Although the engine correctly reports the OOM condition, it subsequently fails during the runtime cleanup phase in the JS_FreeRuntime function. This failure is due to an assertion triggered by the garbage collector's object list not being empty (list_empty(&rt->gc_obj_list) assertion failure). As a result, the interpreter aborts with a SIGABRT signal, causing an abrupt termination of the process. This behavior leads to a denial of service, as the affected QuickJS interpreter instance cannot continue running. The vulnerability does not compromise confidentiality or integrity but severely impacts availability. Exploitation requires no privileges or user interaction and can be triggered remotely if the QuickJS interpreter is exposed. The vulnerability is tracked under CWE-400 (Uncontrolled Resource Consumption). The issue was fixed in a commit dated 2025-12-11 (commit fcd33c1afa7b3028531f53cd1190a3877454f6b3). No public exploits are known at this time, but the CVSS v3.1 base score is 7.5, reflecting high severity due to ease of exploitation and impact on availability.
Potential Impact
The primary impact of CVE-2025-69654 is denial of service, which can disrupt applications or services relying on the QuickJS engine for JavaScript execution. Organizations embedding QuickJS in constrained environments, such as IoT devices, edge computing platforms, or lightweight server-side applications, are particularly at risk. An attacker can remotely trigger the vulnerability without authentication or user interaction, causing the interpreter to abort unexpectedly and potentially leading to service outages or system instability. This could affect critical infrastructure components that depend on QuickJS for scripting or automation, resulting in operational downtime and potential cascading failures. Although no data confidentiality or integrity is compromised, the loss of availability can impact business continuity, user experience, and trust. The vulnerability's ease of exploitation and lack of prerequisites increase the risk of widespread attacks once exploit code becomes available.
Mitigation Recommendations
To mitigate CVE-2025-69654, organizations should immediately update QuickJS to the fixed version released after the 2025-12-11 commit (fcd33c1afa7b3028531f53cd1190a3877454f6b3). If upgrading is not immediately feasible, consider implementing strict input validation and sandboxing to limit the execution of untrusted JavaScript code, especially when using the `-m` option. Monitor resource usage closely and configure memory limits conservatively to avoid low-memory conditions that trigger the vulnerability. Employ runtime monitoring and alerting for abnormal process terminations or SIGABRT signals in systems running QuickJS. For embedded or IoT devices, ensure secure update mechanisms are in place to deploy patches promptly. Additionally, restrict network exposure of services using QuickJS to trusted environments to reduce the attack surface. Finally, maintain incident response plans to quickly address potential denial-of-service incidents related to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-01-09T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69ab3283c48b3f10ffcc6477
Added to database: 3/6/2026, 8:01:07 PM
Last enriched: 3/14/2026, 7:13:40 PM
Last updated: 4/21/2026, 3:32:55 AM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.