CVE-2025-69653 Overview
A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, leading to a denial-of-service condition. The vulnerability resides in the gc_decref_child function within quickjs.c and is triggered when malicious JavaScript is executed with the qjs interpreter using the -m option. Successful exploitation causes an abort signal (SIGABRT) during garbage collection, crashing the interpreter and denying service to legitimate users.
Critical Impact
Attackers can crash QuickJS interpreter instances by supplying specially crafted JavaScript input, causing denial-of-service through an assertion failure in garbage collection routines.
Affected Products
- QuickJS release 2025-09-13
- QuickJS versions prior to commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6
Discovery Timeline
- 2026-03-06 - CVE CVE-2025-69653 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2025-69653
Vulnerability Analysis
This vulnerability is classified as CWE-617 (Reachable Assertion), where an assertion statement in the gc_decref_child function can be reached by an attacker through crafted input. The flaw exists in QuickJS's garbage collection mechanism, specifically in how reference counting is handled during the decrement child operation.
When the QuickJS interpreter processes certain malformed JavaScript modules (executed with the -m flag), an internal invariant check fails within the garbage collector. The assertion was likely placed as a debugging aid or sanity check but becomes a security issue when external input can trigger the failure path, allowing attackers to cause a controlled crash.
The vulnerability requires user interaction in that a victim must execute the malicious JavaScript file, but the attack can be delivered over the network through various vectors such as malicious web content or shared scripts.
Root Cause
The root cause is an improper handling of edge cases in the gc_decref_child function during garbage collection cycles. When specific JavaScript constructs are processed, the garbage collector encounters an unexpected state that violates an internal assertion, causing the interpreter to abort via SIGABRT. This represents a failure to properly validate or handle all possible states during reference count decrement operations on child objects.
Attack Vector
The attack requires an attacker to craft a malicious JavaScript file that exploits the assertion failure. The attack vector is network-based as the malicious script can be delivered remotely. The attacker must convince a victim to execute the malicious JavaScript using the QuickJS qjs interpreter with the module flag (-m).
The exploitation flow involves:
- Crafting a JavaScript file that triggers the vulnerable code path in gc_decref_child
- Delivering the malicious file to the target system
- Waiting for or inducing execution with qjs -m malicious.js
- The garbage collector hits the assertion failure and aborts execution
Technical details and proof-of-concept information can be found in the GitHub Issue Discussion.
Detection Methods for CVE-2025-69653
Indicators of Compromise
- Unexpected SIGABRT signals from qjs processes
- QuickJS interpreter crashes with assertion failure messages referencing gc_decref_child
- Core dumps from QuickJS processes indicating garbage collection failures
- Abnormal termination of scripts running under the QuickJS interpreter
Detection Strategies
- Monitor system logs for SIGABRT signals originating from QuickJS (qjs) processes
- Implement process monitoring to detect repeated crashes of JavaScript interpreter instances
- Deploy file integrity monitoring on systems where QuickJS processes untrusted JavaScript
- Use application-level logging to track JavaScript file sources before execution
Monitoring Recommendations
- Configure crash reporting tools to alert on QuickJS interpreter terminations
- Monitor for unusual patterns of JavaScript file execution with the -m module flag
- Implement rate limiting on JavaScript execution to detect potential DoS attempts
- Review and audit JavaScript files before execution in production environments
How to Mitigate CVE-2025-69653
Immediate Actions Required
- Update QuickJS to a version containing commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 or later
- Avoid executing untrusted JavaScript files with the QuickJS interpreter
- Implement input validation and sandboxing for JavaScript execution environments
- Monitor QuickJS processes for unexpected crashes or terminations
Patch Information
The vulnerability was fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 dated 2025-12-11. Organizations should update their QuickJS installation to a version that includes this fix. The patch addresses the assertion failure in the gc_decref_child function within quickjs.c.
For additional details, refer to the GitHub Issue Discussion.
Workarounds
- Restrict execution of JavaScript modules from untrusted sources
- Run QuickJS in sandboxed environments with process isolation
- Implement process supervisors to automatically restart crashed interpreter instances
- Validate and sanitize JavaScript files before execution when the -m flag is required
# Configuration example
# Update QuickJS to the patched version
git clone https://github.com/bellard/quickjs.git
cd quickjs
git checkout 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6
make
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
