CVE-2025-66453 is a resource exhaustion vulnerability classified under CWE-400 that affects Mozilla Rhino, a JavaScript engine implemented in Java. The vulnerability is triggered when an attacker-controlled floating-point number is passed to the toFixed() function. Internally, this call propagates through NativeNumber.numTo, DToA.JS_dtostr, DToA.JS_dtoa, and finally to DToA.pow5mult, where the function attempts to compute 5 raised to an excessively large power. This calculation leads to uncontrolled CPU consumption, potentially resulting in a Denial of Service (DoS) condition by exhausting processing resources. The flaw exists in Rhino versions before 1.8.1, 1.7.15.1, and 1.7.14.1. Exploitation requires no privileges, authentication, or user interaction, making it remotely exploitable over a network if the vulnerable Rhino engine is exposed. The CVSS 4.0 score is 5.5 (medium), reflecting the moderate impact and ease of exploitation without authentication. No known public exploits have been reported yet. The vulnerability is addressed by updating to the fixed versions. Since Rhino is often embedded in Java applications for scripting, any software or service using vulnerable Rhino versions may be indirectly affected. The root cause is an unchecked input leading to excessive computation in the pow5mult function, a classic example of uncontrolled resource consumption.

For European organizations, the primary impact is potential Denial of Service due to high CPU consumption when processing malicious inputs through Rhino's toFixed() function. This can degrade application performance, cause service outages, or increase operational costs due to resource exhaustion. Organizations embedding Rhino in web services, middleware, or internal tools are at risk, especially if these services process untrusted input or are exposed to external users. The disruption could affect critical business processes, customer-facing applications, or internal automation relying on Rhino scripting. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant, particularly for high-availability environments. Additionally, organizations in sectors with strict uptime requirements (e.g., finance, healthcare, public services) may face regulatory or reputational consequences if service disruptions occur. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed given the straightforward nature of the attack vector.

1. Immediately upgrade all Rhino instances to versions 1.8.1, 1.7.15.1, or 1.7.14.1 or later, as these contain the fix for this vulnerability. 2. Conduct an inventory of all applications and services that embed Rhino to identify vulnerable versions. 3. Implement input validation and sanitization on floating-point inputs passed to scripting engines to reduce the risk of malicious inputs triggering resource exhaustion. 4. Monitor CPU usage and application performance metrics to detect anomalous spikes that could indicate exploitation attempts. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious inputs targeting the toFixed() function if feasible. 6. Review and update incident response plans to include scenarios involving resource exhaustion attacks on scripting engines. 7. Engage with software vendors or third-party providers to ensure their products using Rhino are patched. 8. Consider sandboxing or isolating Rhino execution environments to limit the impact of potential DoS conditions on critical systems.