Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
QuickJS Interpreter Can Crash with Special Input
DEBIAN-CVE-2025-69654
Summary
The QuickJS JavaScript engine can crash if it receives a specially crafted input, which can cause the system to run out of memory and then crash with an error message. This issue affects systems running a specific version of the QuickJS engine, and it's fixed in a later update. To protect your system, update the QuickJS engine to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | quickjs | All versions | – |
| debian | quickjs | All versions | – |
Original title
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memo...
Original description
A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the engine reports an OOM error, it subsequently aborts with SIGABRT because the GC object list is not fully released. This results in a denial of service.
- https://security-tracker.debian.org/tracker/CVE-2025-69654 Vendor Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026