CVE-2025-69654

Name of the Vulnerable Software and Affected Versions QuickJS versions 2025-09-13 through 2025-12-11

Description A specially crafted JavaScript input, when executed with the qjs interpreter using the -m option and a limited memory allocation, can lead to an out-of-memory condition. This is followed by an assertion failure within the JS FreeRuntime function during runtime cleanup, specifically when checking if the garbage collection object list is empty (list empty(&rt->gc obj list)). Although an out-of-memory error is initially reported, the engine ultimately terminates with a SIGABRT signal due to the incomplete release of garbage collection objects. This can result in a denial of service.

Recommendations Update to QuickJS version 2025-12-11 or later.