CVE Tools
Sign in

CVE-2025-66453

Rhino vulnerable high CPU usage and potential DoS when passing specific numbers to toFixed() function

Published: Dec 3, 2025Updated: Apr 14, 2026 Sources: CVE List NVD GHSA BDUCWE-400
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.2%
Top 86.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-400

Affected Products

Android StudioGoogle Inc
On-premDesktop App
Mobile Apps
RhinoMozilla Corp.
On-prem
Consumer Software / browser
rhinomozilla
On-prem
Consumer Software / browser
org.mozilla:rhinoMavenOSS Libraries
google inccommercialUSMobile Appsaka google
mozilla corp.oss-projectUSConsumer Software
mozillaoss-projectUSConsumer Softwareaka mozilla corp.
mavenpackage-ecosystemOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x
github.com
https://nvd.nist.gov/vuln/detail/CVE-2025-66453
nvd.nist.gov
https://github.com/mozilla/rhino/commit/2bcf4c43deace35f1f57d86377c6767b0608986e
github.com
and 1 more references View all →

Timeline

Published
Dec 3, 2025
Last Updated
Apr 14, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-66453 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows