Cyber Resilience

CVE-2025-69654

HighPublic PoCDDoSUpdated

Published: 06 March 2026

Published
06 March 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 22.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69654 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Quickjs Project Quickjs. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-69654 is a denial-of-service vulnerability in the QuickJS JavaScript engine, specifically affecting the `qjs` interpreter from the release dated 2025-09-13. The issue arises when executing a crafted JavaScript input under the `-m` option with a low memory limit, triggering an out-of-memory condition. This leads to an assertion failure in the `JS_FreeRuntime` function during runtime cleanup, where the garbage collection object list (`rt->gc_obj_list`) is not fully released despite an OOM error being reported, resulting in a process abort via SIGABRT. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges or user interaction required. Any unauthenticated adversary capable of supplying malicious JavaScript input to a targeted `qjs` instance configured with the `-m` flag and a constrained memory limit can trigger the condition. Successful exploitation causes the interpreter to crash, denying service to legitimate users or processes relying on the engine.

The vulnerability was fixed in QuickJS commit fcd33c1afa7b3028531f53cd1190a3877454f6b3, released on 2025-12-11. Additional details are documented in the project's GitHub issue tracker at https://github.com/bellard/quickjs/issues/468, where security practitioners can review the root cause analysis and patch for deployment.

EU & UK References

Vulnerability details

A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime…

more

cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Directly enables remote DoS via crafted JS input triggering OOM/assertion failure and process crash in the interpreter (Endpoint DoS: Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400
CVE-2025-9278Shared CWE-400

Affected Assets

quickjs project
quickjs
2025-09-13 — 2025-12-11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in QuickJS via the fixed commit fcd33c1.

prevent

Addresses the assertion failure and improper garbage collection cleanup during OOM by enforcing effective error handling that prevents process aborts.

preventdetect

Protects against the denial-of-service from uncontrolled memory consumption triggered by crafted JavaScript inputs.

References