Overview
CVE-2025-66453 describes a potential Denial of Service (DoS) vulnerability affecting the Rhino JavaScript engine, an open-source implementation of JavaScript written entirely in Java. This vulnerability exists in versions prior to 1.8.1, 1.7.15.1, and 1.7.14.1. The issue stems from how the toFixed() function handles attacker-controlled floating-point numbers, leading to excessive CPU consumption and potentially crashing the application.
Technical Details
The vulnerability is triggered when an application passes a float value controlled by an attacker into the toFixed() function of the Rhino JavaScript engine. Specifically, small numbers processed by toFixed() can lead to an inefficient calculation. The call stack follows this path:
NativeNumber.numToDToA.JS_dtostrDToA.JS_dtoaDToA.pow5mult
The problematic function, pow5mult, attempts to raise 5 to an excessively large power, causing significant CPU usage and potentially leading to a Denial of Service.
CVSS Analysis
CVSS score and severity are not available for this CVE.
Possible Impact
A successful exploitation of CVE-2025-66453 can lead to a Denial of Service condition. An attacker can craft malicious input that, when processed by the toFixed() function, consumes excessive CPU resources. This can render the application unresponsive, impacting its availability and potentially affecting other services running on the same system.
Mitigation or Patch Steps
The vulnerability has been addressed in the following Rhino versions:
- 1.8.1
- 1.7.15.1
- 1.7.14.1
Users of Rhino are strongly advised to upgrade to one of these versions or a later version to mitigate the risk of exploitation. If upgrading is not immediately feasible, consider implementing input validation to sanitize float values before passing them to the toFixed() function. However, this should only be considered a temporary workaround and not a replacement for upgrading to a patched version.
