Rhino JS toFixed CVE-2025-66453 DOS Before 1.8.1/1.7.15.1/1.7.14.1
CVE-2025-66453 Published on December 3, 2025
Rhino vulnerable high CPU usage and potential DoS when passing specific numbers to toFixed() function
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2025-66453 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-66453
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
mozilla rhino:- Version >= 1.8.0, < 1.8.1 is affected.
- Version >= 1.7.15, < 1.7.15.1 is affected.
- Version < 1.7.14.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.