CVE-2025-29776: In Azle, calling `setTimer` causes infinite loop of timers

March 14, 2025 (updated March 15, 2025)

Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer.

The infinite loop will occur with any valid invocation of setTimer.

References

github.com/advisories/GHSA-xc76-5pf9-mx8m
github.com/demergent-labs/azle
github.com/demergent-labs/azle/releases/tag/0.30.0
github.com/demergent-labs/azle/security/advisories/GHSA-xc76-5pf9-mx8m
nvd.nist.gov/vuln/detail/CVE-2025-29776

Detect and mitigate CVE-2025-29776 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →