Amazon Linux 2023 Security Advisory: ALAS2023-2025-1339
Advisory Released Date: 2026-01-07
Advisory Updated Date: 2026-01-07
Severity:
Medium
Issue Overview:
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1. (CVE-2025-66453)
Affected Packages:
rhino
Issue Correction:
Run dnf update rhino --releasever 2023.10.20260105 or dnf update --advisory ALAS2023-2025-1339 --releasever 2023.10.20260105 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
noarch:
rhino-runtime-1.7.14.1-3.amzn2023.0.1.noarch
rhino-engine-1.7.14.1-3.amzn2023.0.1.noarch
rhino-1.7.14.1-3.amzn2023.0.1.noarch
rhino-javadoc-1.7.14.1-3.amzn2023.0.1.noarch
src:
rhino-1.7.14.1-3.amzn2023.0.1.src