Home > Vulnerability Database > CVE-2025-66453

Mend.io Vulnerability Database

CVE-2025-66453

Good to know:

Date: December 3, 2025

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

Severity Score

5.3

Related Resources (5)

Url: https://github.com/mozilla/rhino/commit/2bcf4c43deace35f1f57d86377c6767b0608986e

Url: https://github.com/mozilla/rhino

Url: https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66453

Url: https://www.mend.io/vulnerability-database/CVE-2025-66453

Severity Score

5.3

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version org.mozilla:rhino:1.8.1;org.mozilla:rhino:1.7.14.1;org.mozilla:rhino:1.7.15.1;https://github.com/mozilla/rhino.git - Rhino1_7_14_1_Release;https://github.com/mozilla/rhino.git - Rhino1_7_15_1_Release;https://github.com/mozilla/rhino.git - Rhino1_8_1_Release

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66453

Good to know:

Date: December 3, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?