diff --git a/lib/config/expression.cpp b/lib/config/expression.cpp
index 3af536df0..f9d477ddf 100644
--- a/lib/config/expression.cpp
+++ b/lib/config/expression.cpp
@@ -187,6 +187,10 @@ bool DerefExpression::GetReference(ScriptFrame& frame, bool init_dict, Value *pa
 
 	Reference::Ptr ref = operand.GetValue();
 
+	if (!ref) {
+		BOOST_THROW_EXCEPTION(ScriptError("Invalid reference specified.", GetDebugInfo()));
+	}
+
 	*parent = ref->GetParent();
 	*index = ref->GetIndex();
 	return true;
diff --git a/test/config-ops.cpp b/test/config-ops.cpp
index 276fd6d88..cc2c2fb51 100644
--- a/test/config-ops.cpp
+++ b/test/config-ops.cpp
@@ -242,6 +242,10 @@ BOOST_AUTO_TEST_CASE(advanced)
 	expr = ConfigCompiler::CompileText("<test>", "{{ 3 }}");
 	func = expr->Evaluate(frame).GetValue();
 	BOOST_CHECK(func->Invoke() == 3);
+
+	// Regression test for CVE-2025-61908
+	expr = ConfigCompiler::CompileText("<test>", "&*null");
+	BOOST_CHECK_THROW(expr->Evaluate(frame).GetValue(), ScriptError);
 }
 
 BOOST_AUTO_TEST_CASE(sandboxed_ticket_salt)