Miggo Logo
Miggo Vulnerability Database
CVE-2025-56571

CVE-2025-56571: Finance.js vulnerable to DoS via the IRR function’s depth parameter

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-56571
GHSA ID
GHSA-f8r4-mf27-rf7m
EPSS Score
-
CWE
CWE-400
Published
9/30/2025
Updated
9/30/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
financejsnpm<= 4.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the 'IRR' function of 'finance.js', which is susceptible to a Denial of Service attack. The root cause is the improper handling of the 'depth' parameter, which is intended to limit the number of iterations in the internal rate of return calculation. An attacker can supply a very large value for 'depth', causing the 'seekZero' function, which is called by 'IRR', to enter a nearly infinite loop. The 'seekZero' function's 'while' loops are the direct cause of the excessive CPU consumption. The 'IRR' function is the entry point for the vulnerability as it takes the malicious input. A runtime profiler would likely show both 'Finance.prototype.IRR' and 'seekZero' in the stack trace during an exploit, as 'IRR' calls 'seekZero' to perform the calculation. The lack of input validation on the 'depth' parameter allows for the allocation of resources without limits, leading to the DoS condition.

Vulnerable functions

Finance.prototype.IRR
finance.js
The 'IRR' function is vulnerable because it accepts a 'depth' parameter from the user without any validation or upper limit. This 'depth' parameter is then used as the maximum number of iterations in the 'npv' function, which is called by 'seekZero'. A malicious actor can provide a very large 'depth' value, causing the 'seekZero' function to execute a computationally expensive loop for an extended period, leading to a Denial of Service.
seekZero
finance.js
The 'seekZero' function contains 'while' loops that are the direct cause of the Denial of Service. These loops repeatedly call the function 'fn' (in this case, the 'npv' function from 'IRR'). The number of iterations is indirectly controlled by the 'depth' parameter passed to 'IRR'. When a large 'depth' is provided, these loops will continue for a very long time, consuming excessive CPU resources and causing the application to hang or crash.

WAF Protection Rules

WAF Rule

*in*n**.js v*.*.* *ont*ins * **ni*l o* S*rvi** (*oS) vuln*r**ility vi* t** IRR *un*tion’s **pt* p*r*m*t*r. Improp*r **n*lin* o* t** r**ursion/it*r*tion limit **n l*** to *x**ssiv* *PU us***, **usin* *ppli**tion st*lls or *r*s**s.

Reasoning

T** vuln*r**ility li*s in t** 'IRR' *un*tion o* '*in*n**.js', w*i** is sus**pti*l* to * **ni*l o* S*rvi** *tt**k. T** root **us* is t** improp*r **n*lin* o* t** '**pt*' p*r*m*t*r, w*i** is int*n*** to limit t** num**r o* it*r*tions in t** int*rn*l r*