CVE-2025-29776
March 14, 2025, 2:15 p.m.
None
No Score
Description
Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer. The infinite loop will occur with any valid invocation of `setTimer`. The problem has been fixed as of Azle version `0.30.0`. As a workaround, if a canister is caught in this infinite loop after calling `setTimer`, the canister can be upgraded and the timers will all be cleared, thus ending the loop.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Azle |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | azle | azle | 0.27.0 | / | / | / | / | / | / | / |
| a | azle | azle | 0.28.0 | / | / | / | / | / | / | / |
| a | azle | azle | 0.29.0 | / | / | / | / | / | / | / |
| a | azle | azle | 0.30.0 | / | / | / | / | / | / | / |
Tags
Timeline
Published: March 14, 2025, 2:15 p.m.
Last Modified: March 14, 2025, 2:15 p.m.
Last Modified: March 14, 2025, 2:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security-advisories@github.com
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.