CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-29776: Azle calling `setTimer` causes infinite loop of timers

8.7 CVSS

Description

Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer. The infinite loop will occur with any valid invocation of `setTimer`. The problem has been fixed as of Azle version `0.30.0`. As a workaround, if a canister is caught in this infinite loop after calling `setTimer`, the canister can be upgraded and the timers will all be cleared, thus ending the loop.

Classification

CVE ID: CVE-2025-29776

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Problem Types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Affected Products

Vendor: demergent-labs

Product: azle

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 13.82% (scored less or equal to compared to others)

EPSS Date: 2025-04-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-29776
https://github.com/demergent-labs/azle/security/advisories/GHSA-xc76-5pf9-mx8m
https://github.com/demergent-labs/azle/releases/tag/0.30.0

Timeline

2025-03-14 14:40:22 UTC
CVE

Azle calling `setTimer` causes infinite loop of timers
2025-03-14 18:15:34 UTC
Github Advisory Database (NPM)

[azle] In Azle, calling `setTimer` causes infinite loop of timers