CVE-2025-56571 – Finance.js v4.1.0 contains a Denial of Service ... (How to Fix)

Q: What is the severity of CVE-2025-56571?

CVE-2025-56571 has a CVSS score of 7.5 (HIGH). Finance.js v4.1.0 contains a Denial of Service vulnerability in its IRR function where improper handling of the depth parameter can cause excessive CPU consumption. This allows attackers to crash or stall applications using this library by providing malicious input. Any application using Finance.js v4.1.0 for financial calculations is affected.

📋 TL;DR

Finance.js v4.1.0 contains a Denial of Service vulnerability in its IRR function where improper handling of the depth parameter can cause excessive CPU consumption. This allows attackers to crash or stall applications using this library by providing malicious input. Any application using Finance.js v4.1.0 for financial calculations is affected.

💻 Affected Systems

Products:

Finance.js

Versions: v4.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the IRR function with user-controlled depth parameter.

📦 What is this software?

Finance.js by Ebradyjobory

View all CVEs affecting Finance.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all users and disrupting financial operations.

🟠

Likely Case

Application performance degradation or temporary unavailability for users accessing the vulnerable IRR function.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with malicious parameter can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.1.1 or later

Vendor Advisory: https://github.com/ebradyjobory/finance.js

Restart Required: Yes

Instructions:

1. Update Finance.js to v4.1.1 or later using npm update finance.js. 2. Restart your application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation

all

Implement server-side validation to limit depth parameter values

// Validate depth parameter before passing to IRR function
if (depth > 1000) { throw new Error('Depth too high'); }

Resource Limiting

linux

Implement CPU usage limits for the application process

// Use process resource limits in Node.js
process.setrlimit(process.RLIMIT_CPU, { soft: 5, hard: 10 });

🧯 If You Can't Patch

Implement WAF rules to block requests with suspicious depth parameter values
Monitor CPU usage and implement automatic restart thresholds for the application

🔍 How to Verify

Check if Vulnerable:

Check package.json for finance.js version 4.1.0

Check Version:

npm list finance.js

Verify Fix Applied:

Verify finance.js version is 4.1.1 or later in package.json

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Application crash logs
Requests with unusually high depth parameter values

Network Indicators:

HTTP requests to IRR endpoints with large depth parameters
Increased response times for financial calculation endpoints

SIEM Query:

source="application.logs" AND ("IRR" OR "depth") AND (cpu_usage>90 OR status="500")

📊 Metadata

CVE ID: CVE-2025-56571

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-834

EPSS Score: 0.15% exploit probability (35th percentile)

Published: September 30, 2025

Last Updated: October 8, 2025

🔗 References

http://financejs.com Not Applicable
https://github.com/ebradyjobory/finance.js Product
https://medium.com/@nakah_/cve-2025-56571-and-cve-2025-56572-denial-of-service-vulnerabilities-in-finance-js-78f8b399f53b Third Party Advisory
https://raw.githack.com/ebradyjobory/finance.js/6d571ea2a86d08491ceb584e292e9b76b0a60636/finance.js Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56571, you might also want to check these: