CVE-2025-69654 is a vulnerability in the QuickJS JavaScript engine released on 2025-09-13. The flaw arises when QuickJS is executed with the '-m' option, which enables module mode, combined with a low memory limit. Under these conditions, a specially crafted JavaScript input can trigger an out-of-memory (OOM) error during execution. While the engine correctly reports the OOM condition, it subsequently encounters an assertion failure in the JS_FreeRuntime function during runtime cleanup. This failure occurs because the garbage collector's object list (gc_obj_list) is not fully released, violating the expectation that the list should be empty at cleanup. The assertion failure causes the interpreter to abort with a SIGABRT signal, resulting in a denial-of-service (DoS) condition. The root cause is improper handling of memory exhaustion and incomplete garbage collection cleanup under constrained memory scenarios. The vulnerability was addressed in a commit dated 2025-12-11 (commit fcd33c1afa7b3028531f53cd1190a3877454f6b3), which presumably fixes the cleanup logic to prevent the assertion failure. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability primarily impacts applications and systems embedding or using QuickJS 2025-09-13 with the '-m' option and low memory limits, such as IoT devices, embedded systems, or server-side JavaScript runtimes that utilize QuickJS. Attackers can exploit this by supplying crafted JavaScript code that triggers the OOM and subsequent crash, causing service interruption.

The primary impact of CVE-2025-69654 is denial of service due to a crash of the QuickJS interpreter. This can disrupt any application or service relying on QuickJS for JavaScript execution, potentially causing system instability or downtime. Embedded systems, IoT devices, or server applications using QuickJS with the vulnerable version and configuration are at risk of service interruption. The denial of service could be triggered remotely if the application processes untrusted JavaScript input, leading to potential availability loss. While this vulnerability does not directly compromise confidentiality or integrity, the resulting service disruption can affect business operations, user experience, and reliability of critical systems. Organizations using QuickJS in resource-constrained environments are particularly vulnerable due to the low memory condition requirement. The absence of known exploits limits immediate risk, but the vulnerability's presence in a widely used JavaScript engine means it could be targeted in the future. Failure to patch could expose organizations to repeated service outages and potential cascading failures in dependent systems.

To mitigate CVE-2025-69654, organizations should promptly update QuickJS to the fixed version that includes commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 or later. If immediate patching is not possible, consider disabling or avoiding use of the '-m' module mode option in QuickJS, especially under low memory conditions. Implement strict input validation and sanitization to prevent processing of untrusted or crafted JavaScript code that could trigger the vulnerability. Monitor memory usage closely in environments running QuickJS and configure memory limits to avoid conditions that could lead to OOM errors. Employ runtime monitoring and alerting for abnormal process terminations or crashes of QuickJS interpreters. For embedded or IoT devices, ensure secure update mechanisms are in place to deploy patches efficiently. Additionally, isolate QuickJS execution environments to limit the impact of potential crashes on critical system components. Conduct thorough testing of QuickJS upgrades in staging environments to verify stability and absence of regressions. Finally, maintain awareness of vendor advisories and community updates regarding QuickJS vulnerabilities and fixes.