CVE-2025-66453

CVE Database · CVE-2025-66453

CVE-2025-66453

· HIGHAnalyzed

CVSS v3.1

7.5

CVSS v4.0

5.5

EPSS

0.23%

Published

Dec 3, 2025

Modified

Apr 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-400

Affected Products (3)

mozilla · rhino (up to 1.7.14.1)vulnerable

mozilla · rhinovulnerable

References (1)

https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs