CVE-2025-66453
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-03

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-03
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2025-12-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66453
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mozilla rhino to 1.7.14.1 (exc)
mozilla rhino 1.7.15
mozilla rhino 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Rhino, an open-source JavaScript implementation in Java. When an attacker passes a specially crafted floating point number into the toFixed() function in versions prior to 1.8.1, 1.7.15.1, and 1.7.14.1, it causes excessive CPU consumption. This happens because the number goes through a call stack that eventually leads to the pow5mult function attempting to raise 5 to an extremely large power, resulting in high CPU usage and a potential Denial of Service (DoS).

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition by causing high CPU consumption when processing attacker-controlled floating point numbers in the toFixed() function. This can degrade system performance or make the affected application unresponsive, potentially disrupting service availability.

Mitigation Strategies

Update Rhino to version 1.8.1, 1.7.15.1, or 1.7.14.1 or later, as these versions contain the fix for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart