CVE-2025-66453

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Rhino versions prior to 1.8.1 Rhino versions prior to 1.7.15.1 Rhino versions prior to 1.7.14.1

Description Rhino is a JavaScript implementation written in Java. Prior to versions 1.8.1, 1.7.15.1, and 1.7.14.1, providing a crafted floating-point number to the toFixed() function could result in excessive CPU usage, potentially leading to a Denial of Service. The issue occurs within the following call stack: NativeNumber.numTo > DToA.JS dtostr > DToA.JS dtoa > DToA.pow5mult, where the pow5mult function attempts to raise 5 to a very large power.

Recommendations Rhino versions prior to 1.8.1 should be updated to version 1.8.1 or later. Rhino versions prior to 1.7.15.1 should be updated to version 1.7.15.1 or later. Rhino versions prior to 1.7.14.1 should be updated to version 1.7.14.1 or later.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

AZL-71221

AZL-71503

BDU:2026-01706

CVE-2025-66453

GHSA-3W8Q-XQ97-5J7X

OPENSUSE-SU-2025:15798-1

OPENSUSE-SU-2026:20297-1

SUSE-SU-2025:4390-1

SUSE-SU-2025_4390-1

SUSE-SU-2026:20603-1

Affected Products

Debian

Rhino

Suse

CVE-2025-66453

Weakness Enumeration

Related Identifiers

Affected Products

References · 27