CVE-2025-69654
Published: 06 March 2026
Summary
CVE-2025-69654 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Quickjs Project Quickjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-69654 is a denial-of-service vulnerability in the QuickJS JavaScript engine, specifically affecting the `qjs` interpreter from the release dated 2025-09-13. The issue arises when executing a crafted JavaScript input under the `-m` option with a low memory limit, triggering an out-of-memory condition. This leads to an assertion failure in the `JS_FreeRuntime` function during runtime cleanup, where the garbage collection object list (`rt->gc_obj_list`) is not fully released despite an OOM error being reported, resulting in a process abort via SIGABRT. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges or user interaction required. Any unauthenticated adversary capable of supplying malicious JavaScript input to a targeted `qjs` instance configured with the `-m` flag and a constrained memory limit can trigger the condition. Successful exploitation causes the interpreter to crash, denying service to legitimate users or processes relying on the engine.
The vulnerability was fixed in QuickJS commit fcd33c1afa7b3028531f53cd1190a3877454f6b3, released on 2025-12-11. Additional details are documented in the project's GitHub issue tracker at https://github.com/bellard/quickjs/issues/468, where security practitioners can review the root cause analysis and patch for deployment.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208350
Vulnerability details
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime…
more
cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables remote DoS via crafted JS input triggering OOM/assertion failure and process crash in the interpreter (Endpoint DoS: Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in QuickJS via the fixed commit fcd33c1.
Addresses the assertion failure and improper garbage collection cleanup during OOM by enforcing effective error handling that prevents process aborts.
Protects against the denial-of-service from uncontrolled memory consumption triggered by crafted JavaScript inputs.