Skip to content

High CPU usage and potential DoS when passing specific numbers to `toFixed()` function

Low
gbrail published GHSA-3w8q-xq97-5j7x Dec 3, 2025

Package

maven org.mozilla:rhino (Maven)

Affected versions

<1.8.1,<1.7.15.1,<1.7.14.1

Patched versions

1.8.1,1.7.15.1,1.7.14.1

Description

When an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service.

Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult
where pow5mult attempts to raise 5 to a ridiculous power.

Example code: (4.47118444E-314).toFixed(2)

Severity

Low

CVE ID

CVE-2025-66453

Weaknesses

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource. Learn more on MITRE.

Credits