diff --git a/lib/config/expression.cpp b/lib/config/expression.cpp
index bec121ec3..ddc66ac6f 100644
--- a/lib/config/expression.cpp
+++ b/lib/config/expression.cpp
@@ -185,6 +185,10 @@ bool DerefExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *pa
 
 	Reference::Ptr ref = operand.GetValue();
 
+	if (!ref) {
+		BOOST_THROW_EXCEPTION(ScriptError("Invalid reference specified.", GetDebugInfo()));
+	}
+
 	*parent = ref->GetParent();
 	*index = ref->GetIndex();
 	return true;
diff --git a/test/config-ops.cpp b/test/config-ops.cpp
index dfbef2530..50064c358 100644
--- a/test/config-ops.cpp
+++ b/test/config-ops.cpp
@@ -241,6 +241,10 @@ BOOST_AUTO_TEST_CASE(advanced)
 	expr = ConfigCompiler::CompileText("<test>", "{{ 3 }}");
 	func = expr->Evaluate(frame).GetValue();
 	BOOST_CHECK(func->Invoke() == 3);
+
+	// Regression test for CVE-2025-61908
+	expr = ConfigCompiler::CompileText("<test>", "&*null");
+	BOOST_CHECK_THROW(expr->Evaluate(frame).GetValue(), ScriptError);
 }
 
 BOOST_AUTO_TEST_SUITE_END()