High severity7.5NVD Advisory· Published Mar 6, 2026· Updated Jun 2, 2026
CVE-2025-69654
CVE-2025-69654
Description
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),qjs interpreter using the -m option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
Affected products
2- cpe:2.3:a:quickjs_project:quickjs:*:*:*:*:*:*:*:*Range: >=2025-09-13,<2025-12-11
Patches
Vulnerability mechanics
References
1- github.com/bellard/quickjs/issues/468nvdExploitIssue TrackingVendor Advisory
News mentions
0No linked articles in our index yet.