8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-29776

GHSA ID

GHSA-xc76-5pf9-mx8m

EPSS Score

0.19239%

CWE

CWE-835

Published

3/14/2025

Updated

3/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-29776

CVE-2025-29776: In Azle, calling `setTimer` causes infinite loop of timers

Impact

Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer.

The infinite loop will occur with any valid invocation of setTimer.

Patches

The problem has been fixed as of Azle version 0.30.0.

Workarounds

If a canister is caught in this infinite loop after calling setTimer, the canister can be upgraded and the timers will all be cleared, thus ending the loop.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-29776

CVE-2025-29776:

8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-29776

GHSA ID

GHSA-xc76-5pf9-mx8m

EPSS Score

0.19239%

CWE

CWE-835

Published

3/14/2025

Updated

3/14/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
azle	npm	>= 0.27.0, < 0.30.0	0.30.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests specifically through the setTimer function as described in all advisory sources. The infinite loop occurs because each timer execution attempts to clean up the previous timer's global state, which inadvertently schedules a new timer. This matches CWE-835 (infinite loop) and aligns with the patch notes mentioning state machine improvements in v0.30.0. While exact code isn't shown, the function name and behavior are explicitly documented across all sources, justifying high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-29776: In Azle, calling `setTimer` causes infinite loop of timers

Impact

Patches

Workarounds

CVE-2025-29776:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.7

8.7

CVE-2025-29776: In Azle, calling `setTimer` causes infinite loop of timers

Impact

Patches

Workarounds

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI