Home > Vulnerability Database > CVE-2025-29776

Mend.io Vulnerability Database

CVE-2025-29776

Good to know:

Date: March 14, 2025

Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling "setTimer" in Azle versions "0.27.0", "0.28.0", and "0.29.0" causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer. The infinite loop will occur with any valid invocation of "setTimer". The problem has been fixed as of Azle version "0.30.0". As a workaround, if a canister is caught in this infinite loop after calling "setTimer", the canister can be upgraded and the timers will all be cleared, thus ending the loop.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/demergent-labs/azle/releases/tag/0.30.0

Url: https://github.com/demergent-labs/azle

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-29776

Url: https://github.com/demergent-labs/azle/security/advisories/GHSA-xc76-5pf9-mx8m

Url: https://www.mend.io/vulnerability-database/CVE-2025-29776

Severity Score

7.5

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Top Fix

Upgrade Version

Upgrade to version azle - 0.30.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-29776

Good to know:

Date: March 14, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?