QuickJS JavaScript Interpreter Can Crash with Malicious Input

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

QuickJS JavaScript Interpreter Can Crash with Malicious Input

CVE-2025-69653

Summary

A specific type of malicious JavaScript input can cause the QuickJS JavaScript interpreter to crash when using the -m option, leading to a denial-of-service. This affects users who run QuickJS with this option. Affected users should update to the latest version of QuickJS to fix this issue.

Original title

Original description

A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in file gc_decref_child in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort (SIGABRT) during garbage collection and causes a denial-of-service.

Vulnerability type

CWE-617

https://github.com/bellard/quickjs/issues/467

Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026