Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
QuickJS Interpreter Can Crash with Malicious JavaScript Input
DEBIAN-CVE-2025-69653
Summary
A malicious JavaScript script can cause a QuickJS interpreter to crash, leading to a denial-of-service. This only affects systems using the -m option with the qjs interpreter. To fix this, update to the latest version of QuickJS, which was patched on December 11, 2025.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | quickjs | All versions | – |
| debian | quickjs | All versions | – |
Original title
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in...
Original description
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service.
- https://security-tracker.debian.org/tracker/CVE-2025-69653 Vendor Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026