cvedb.io
CVE-2025-69654
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-06T20:16:11.900 · Last modified 2026-06-17T10:00:49.183

Summary

A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.

Affected products

quickjs_project — quickjs

Does this affect you?

Add your gear to cvedb and we'll alert you only when quickjs_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.