Primary

Context

Finance.js Denial-of-Service Vulnerability via IRR Function Depth Parameter

Vulnerability

A denial-of-service vulnerability has been identified in Finance.js version 4.1.0. The issue arises in the IRR function, where the depth parameter is not properly managed. This lack of control over recursion and iteration limits can lead to excessive CPU usage, causing the application to stall or crash.

Impact

Exploitation of this vulnerability leads to excessive CPU consumption, causing application stalls or crashes.

Reproduction

To reproduce this vulnerability, use the IRR function in Finance.js v4.1.0 with a depth parameter that exceeds the function's recursion limit. This can be done by providing a cash flow array that triggers deep recursion, such as one with many cash flow periods that the function must iterate through.

Added: Sep 30, 2025, 4:22 PM

Updated: Sep 30, 2025, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.6

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.6

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Finance.js Denial-of-Service Vulnerability via IRR Function Depth Parameter

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating