CVE-2025-66453: Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function

December 3, 2025 (updated December 4, 2025)

When an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service.

Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power.

Example code: (4.47118444E-314).toFixed(2)

References

github.com/advisories/GHSA-3w8q-xq97-5j7x
github.com/mozilla/rhino
github.com/mozilla/rhino/commit/2bcf4c43deace35f1f57d86377c6767b0608986e
github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x
nvd.nist.gov/vuln/detail/CVE-2025-66453

Code Behaviors & Features

Detect and mitigate CVE-2025-66453 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →