CVE-2025-69654 in QuickJS
Summary
by MITRE • 03/06/2026
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
This vulnerability exists within the QuickJS JavaScript engine version 2025-09-13 and represents a critical denial of service condition that can be triggered through malicious JavaScript input. The flaw manifests when the qjs interpreter is invoked with the -m option, which enables memory limiting functionality, combined with a low memory threshold setting. The vulnerability exploits a specific interaction between the memory management system and garbage collection mechanisms within the engine's runtime environment.
The technical root cause involves a memory allocation failure that occurs during JavaScript execution under strict memory constraints. When the interpreter encounters a crafted input that exhausts the allocated memory limit, it properly reports an out-of-memory condition to the application. However, the subsequent cleanup process contains a critical flaw in the garbage collection object list management. The JS_FreeRuntime function attempts to verify the integrity of the garbage collection object list through an assertion check that validates whether the list is empty. This assertion failure occurs because the garbage collection objects were not properly released during the OOM scenario, leading to an inconsistent internal state.
The operational impact of this vulnerability extends beyond simple resource exhaustion, creating a more severe system instability condition. The engine's response to the initial OOM error escalates to a SIGABRT signal termination, which is an abrupt program termination that cannot be caught or handled by normal application code. This behavior effectively transforms a recoverable memory error into a complete system crash, making it particularly dangerous in environments where the JavaScript engine is embedded or used as a core component. The vulnerability affects any application that utilizes QuickJS with memory limiting enabled and is particularly concerning for server-side applications or embedded systems where resource constraints are actively managed.
The flaw demonstrates characteristics consistent with CWE-401: Improper Release of Memory and CWE-755: Improper Handling of Exceptional Conditions, highlighting weaknesses in both memory management and error handling within the runtime cleanup process. From an ATT&CK perspective, this vulnerability aligns with T1499.004: Endpoint Denial of Service, as it enables an attacker to cause system unavailability through controlled resource exhaustion and improper cleanup. The vulnerability also reflects poor resource management practices that could potentially be exploited to cause additional instability in systems where QuickJS is embedded, as the assertion failure during cleanup may expose other latent issues in the engine's memory management subsystem. The fix implemented in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 addresses the specific assertion failure by ensuring proper cleanup of garbage collection objects even under OOM conditions, thereby preventing the SIGABRT termination and maintaining system stability during memory constraint scenarios.