CVE-2025-29776: 
JavaScript vulnerability analysis and mitigation

Azle, a WebAssembly runtime for TypeScript and JavaScript on ICP, contains a critical vulnerability identified as CVE-2025-29776. The vulnerability affects versions 0.27.0, 0.28.0, and 0.29.0, and was discovered and disclosed on March 14, 2025. The issue has been assigned a CVSS v4.0 base score of 8.7 (High) (GitHub Advisory, NVD).

The vulnerability is triggered when calling the setTimer function in affected versions, which causes an immediate infinite loop of timers to be executed on the canister. Each timer in the loop attempts to clean up the global state of the previous timer. The issue occurs with any valid invocation of setTimer. The vulnerability has been assigned a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L, indicating network accessibility, low attack complexity, and high impact on system availability (GitHub Advisory).

The vulnerability results in an infinite loop that affects system availability. When exploited, it causes continuous execution of timers, each attempting to clean up the global state of the previous timer, leading to a denial of service condition on the affected canister (GitHub Advisory).

The vulnerability has been fixed in Azle version 0.30.0. As a temporary workaround, if a canister is caught in this infinite loop after calling setTimer, the canister can be upgraded, which will clear all timers and end the loop (GitHub Release, GitHub Advisory).