CVE-2025-69653 in QuickJS
Summary
by MITRE • 03/06/2026
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability described in CVE-2025-69653 represents a critical heap-based buffer overflow condition within the QuickJS JavaScript engine version 2025-09-13. This flaw manifests as an internal assertion failure during garbage collection operations when the qjs interpreter processes maliciously crafted JavaScript input through the -m command line option. The vulnerability specifically targets the gc_decref_child function located in quickjs.c, where an improper handling of reference counting leads to memory corruption. The issue stems from inadequate bounds checking and validation of object references during the decremental reference counting process that occurs during garbage collection cycles.
The technical exploitation of this vulnerability requires careful crafting of JavaScript code that triggers the specific code path within the garbage collector where the assertion failure occurs. When the qjs interpreter executes such malicious input with the -m flag enabled, the engine's internal state becomes corrupted, resulting in an abrupt termination through SIGABRT signal generation. This behavior constitutes a denial-of-service condition that can be reliably triggered by remote attackers who can influence JavaScript execution within the QuickJS environment. The vulnerability is particularly concerning because it operates at the core memory management layer of the interpreter, making it difficult to predict and prevent through standard input sanitization techniques.
From a cybersecurity perspective, this vulnerability maps directly to CWE-121, heap-based buffer overflow, and CWE-125, out-of-bounds read, while also aligning with ATT&CK technique T1499.1 for network denial of service. The operational impact extends beyond simple service disruption as this flaw could potentially be leveraged in more sophisticated attacks where an attacker might use the denial-of-service condition as a stepping stone for further exploitation. The vulnerability affects any system running QuickJS 2025-09-13 or earlier versions that utilize the qjs interpreter with the -m option, particularly web applications, server-side JavaScript environments, and embedded systems that depend on QuickJS for JavaScript execution.
Mitigation strategies for this vulnerability should prioritize immediate patch application, with the fix implemented in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 released on 2025-12-11. Organizations should disable the -m flag usage in production environments until the patch is applied, and implement strict input validation mechanisms that prevent arbitrary JavaScript code execution. Additional protective measures include deploying runtime monitoring systems that can detect abnormal garbage collection behavior and implementing sandboxing techniques that isolate JavaScript execution contexts. The vulnerability demonstrates the critical importance of thorough testing of memory management code paths and highlights the necessity of maintaining up-to-date security patches for embedded scripting engines used in production environments.