CVE-2025-56572
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ebradyjobory | finance.js | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-56572 is a Denial of Service (DoS) vulnerability in Finance.js version 4.1.0 that affects the seekZero() function. The function lacks limits on iteration, which can cause it to enter an infinite loop, leading to excessive CPU usage and application crashes. This vulnerability can be triggered remotely without any privileges, impacting both browser and Node.js environments. [1]
How can this vulnerability impact me? :
This vulnerability can cause your application using Finance.js to become unresponsive or crash due to high CPU consumption caused by infinite loops in the seekZero() function. This results in a Denial of Service, making the application unavailable to legitimate users and potentially disrupting business operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for symptoms such as high CPU usage, application stalls, or crashes related to the use of the seekZero() function in finance.js version 4.1.0. Since the issue involves infinite loops or excessive iterations in the seekZero() function, you can detect it by observing processes running finance.js for unusually high CPU consumption. Specific commands to detect this include using system monitoring tools like 'top' or 'htop' on Linux to identify processes with high CPU usage. Additionally, you can instrument or log calls to the seekZero() function in your application to detect excessive iteration or hangs. There are no direct network detection commands since this is a local application-level issue triggered remotely but affecting the application runtime. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating or patching finance.js to a version that limits iteration depth in the seekZero() function to prevent infinite loops. If an updated version is not available, you can implement a workaround by adding iteration limits or timeouts around calls to seekZero() to avoid excessive CPU usage or application crashes. Additionally, consider restricting or validating inputs that trigger the seekZero() function remotely to prevent exploitation. Monitoring application performance and restarting affected services upon detection of hangs or crashes can also help mitigate impact until a permanent fix is applied. [1, 2]