[RORDEV-1901] CVE-2025-67735 & CVE-2025-66453 fix #1199
Conversation
This comment was marked as spam.
This comment was marked as spam.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
core/build.gradlecore/src/main/scala/tech/beshu/ror/utils/js/MozillaJsCompiler.scala
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-09-21T14:19:51.421Z
Learnt from: mgoworko
Repo: sscarduzio/elasticsearch-readonlyrest-plugin PR: 1163
File: core/src/test/scala/tech/beshu/ror/unit/acl/factory/decoders/rules/auth/RorKbnAuthorizationRuleSettingsTests.scala:19-19
Timestamp: 2025-09-21T14:19:51.421Z
Learning: The elasticsearch-readonlyrest-plugin project uses Gradle for build configuration and Scala 3.3.3. The build.sbt file appears to be outdated and should not be used to determine the actual Scala version. Only the audit module uses cross-compilation with multiple Scala versions (2.11, 2.12, 2.13, 3.3.3), while all other modules use Scala 3.3.3. Scala 3 wildcard import syntax with `.*` is correct and should be used.
Applied to files:
core/build.gradle
📚 Learning: 2025-09-21T14:19:51.421Z
Learnt from: mgoworko
Repo: sscarduzio/elasticsearch-readonlyrest-plugin PR: 1163
File: core/src/test/scala/tech/beshu/ror/unit/acl/factory/decoders/rules/auth/RorKbnAuthorizationRuleSettingsTests.scala:19-19
Timestamp: 2025-09-21T14:19:51.421Z
Learning: The elasticsearch-readonlyrest-plugin project uses Gradle for build configuration and Scala 3.3.3 (not Scala 2.13.3). The Scala 3 wildcard import syntax with `.*` is correct and should be used instead of the Scala 2 `._` syntax. Only the audit example uses a different setup.
Applied to files:
core/build.gradle
📚 Learning: 2024-12-16T17:14:36.317Z
Learnt from: mateuszkp96
Repo: sscarduzio/elasticsearch-readonlyrest-plugin PR: 1064
File: tests-utils/build.gradle:15-15
Timestamp: 2024-12-16T17:14:36.317Z
Learning: In this project, `log4j-core` version `2.15.0` is only used in test dependencies and not included in production builds.
Applied to files:
core/build.gradle
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: ror (Warm up Gradle cache Download Gradle and toolchains)
🔇 Additional comments (3)
core/src/main/scala/tech/beshu/ror/utils/js/MozillaJsCompiler.scala (1)
73-73: Verify API compatibility with Rhino 1.8.1.The Rhino upgrade from 1.7.14 to 1.8.1 addresses CVE-2025-66453, a DoS vulnerability in the toFixed() function. The API change from
setOptimizationLevel(-1)tosetInterpretedMode(true)appears semantically equivalent for disabling optimization and avoiding ClassLoader requirements.Please verify that this API change is correct for Rhino 1.8.1 and that the JS compilation functionality works as expected in the interpreted mode.
core/build.gradle (2)
85-85: Security fix verified: Rhino upgrade addresses CVE-2025-66453.The upgrade from Rhino 1.7.14 to 1.8.1 addresses CVE-2025-66453, a moderate-severity DoS vulnerability where attacker-controlled floating-point numbers passed to toFixed() could cause high CPU consumption. The fix is included in version 1.8.1.
107-112: Security fix verified: Netty upgrade addresses CVE-2025-67735.The upgrade from Netty 4.1.126.Final to 4.1.130.Final addresses CVE-2025-67735 (CVSS 6.5 Medium), a CRLF injection vulnerability in HttpRequestEncoder that could enable request smuggling. The vulnerability was fixed in version 4.1.129.Final, and version 4.1.130.Final was released on 15-Dec-25, providing additional bug fixes beyond the security patch.
| // | ||
| // In order to omit using ClassLoader's we need to set optimization level to `-1` (a bit worse performance, but it concerns only reading few values from config) | ||
| context.setOptimizationLevel(-1) | ||
| // In order to omit using ClassLoader's we need to set interpreted mod (a bit worse performance, but it concerns only reading few values from config) |
There was a problem hiding this comment.
Fix typo in comment.
The comment contains a typo: "interpreted mod" should be "interpreted mode".
🔎 Proposed fix
- // In order to omit using ClassLoader's we need to set interpreted mod (a bit worse performance, but it concerns only reading few values from config)
+ // In order to omit using ClassLoader's we need to set interpreted mode (a bit worse performance, but it concerns only reading few values from config)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| // In order to omit using ClassLoader's we need to set interpreted mod (a bit worse performance, but it concerns only reading few values from config) | |
| // In order to omit using ClassLoader's we need to set interpreted mode (a bit worse performance, but it concerns only reading few values from config) |
🤖 Prompt for AI Agents
In core/src/main/scala/tech/beshu/ror/utils/js/MozillaJsCompiler.scala around
line 72, the inline comment contains a typo: replace "interpreted mod" with
"interpreted mode" so the comment reads correctly; update the comment text
preserving original meaning and punctuation.
🚨 Security Fix (ES) CVE-2025-67735, CVE-2025-66453
Summary by CodeRabbit
Release Notes
✏️ Tip: You can customize this high-level summary in your review settings.