CVE-2025-56571

Vulnerability

Detail

Finance.js, a JavaScript library for common financial calculations, contains a denial of service (DoS) vulnerability in version 4.1.0 [2]. The flaw exists in the IRR (Internal Rate of Return) function, specifically in how it handles the depth parameter. Improper management of recursion or iteration limits can cause the function to consume excessive CPU resources, leading to application stalls or crashes [1].

Exploitation

An attacker can trigger this vulnerability by providing a maliciously crafted depth argument to the IRR call. Since the library is used on both client-side and server-side (via Node.js), the attack vector depends on where the vulnerable function is exposed. No authentication is required if the application exposes the IRR function to user input, making it possible for a remote unauthenticated attacker to cause a DoS [1].

Impact

Successful exploitation results in high CPU usage, which can stall or crash the application. This constitutes a denial of service, potentially impacting availability for legitimate users. The severity is considered high because the attack can be executed remotely without complex prerequisites [1].

Mitigation

As of the publication date (2025-09-30), no fix or workaround has been released for CVE-2025-56571. Users are advised to apply input validation, set limits on the depth parameter, or avoid passing untrusted input to the IRR function. Library maintainers are expected to issue a patched version in the future [1].