CVE-2025-66453
BaseFortify
Publication date: 2025-12-03
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | rhino | to 1.7.14.1 (exc) |
| mozilla | rhino | 1.7.15 |
| mozilla | rhino | 1.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Rhino, an open-source JavaScript implementation in Java. When an attacker passes a specially crafted floating point number into the toFixed() function in versions prior to 1.8.1, 1.7.15.1, and 1.7.14.1, it causes excessive CPU consumption. This happens because the number goes through a call stack that eventually leads to the pow5mult function attempting to raise 5 to an extremely large power, resulting in high CPU usage and a potential Denial of Service (DoS).
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition by causing high CPU consumption when processing attacker-controlled floating point numbers in the toFixed() function. This can degrade system performance or make the affected application unresponsive, potentially disrupting service availability.
What immediate steps should I take to mitigate this vulnerability?
Update Rhino to version 1.8.1, 1.7.15.1, or 1.7.14.1 or later, as these versions contain the fix for this vulnerability.