Skip to content

CVE-2025-66453 replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1#1037

Merged
vharseko merged 3 commits into
masterfrom
copilot/update-rhino-dependency-version
Jun 9, 2026
Merged

CVE-2025-66453 replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1#1037
vharseko merged 3 commits into
masterfrom
copilot/update-rhino-dependency-version

Conversation

Copilot AI commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

org.apache.servicemix.bundles:org.apache.servicemix.bundles.rhino:1.7.15_1 inlines org.mozilla:rhino:1.7.15, which is vulnerable to CVE-2025-66453 (CVSS 7.5) — a DoS via Number.prototype.toFixed() that drives DToA.pow5mult into unbounded CPU consumption. No newer ServiceMix bundle exists on Maven Central; the fixed org.mozilla:rhino:1.7.15.1 is a safe drop-in since OpenAM deploys as a WAR (no OSGi runtime) and uses only the standard org.mozilla.javascript.* API.

Changes

  • pom.xml — updated rhino.version to 1.7.15.1 and replaced the <dependencyManagement> entry: 
    <!-- before -->
<groupId>org.apache.servicemix.bundles</groupId>
<artifactId>org.apache.servicemix.bundles.rhino</artifactId>

<!-- after -->
<groupId>org.mozilla</groupId>
<artifactId>rhino</artifactId>
  • openam-scripting/pom.xml — same groupId/artifactId substitution for the consuming module dependency.

No source changes required; org.mozilla:rhino exposes the identical org.mozilla.javascript.* API surface.

Copilot AI changed the title [WIP] Update org.apache.servicemix.bundles.rhino to mitigate CVE-2025-66453 fix(security): replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1 (CVE-2025-66453) Jun 6, 2026
Copilot AI requested a review from vharseko June 6, 2026 09:35
@vharseko vharseko requested review from maximthomas and removed request for vharseko June 6, 2026 09:36
@vharseko vharseko changed the title fix(security): replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1 (CVE-2025-66453) CVE-2025-66453 replace servicemix rhino bundle with org.mozilla:rhino:1.7.15.1 Jun 6, 2026
@vharseko vharseko marked this pull request as ready for review June 6, 2026 09:36
@maximthomas

maximthomas commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This upgrade leads to dependency duplication, see #980, so there will be duplicated transitive servicemix dependency from commons and the current org.mozilla.rhino dependency. Changing dependency in the commons project from servicemix to org.mozilla will break OpenIDM

CVE-2025-66453 has low severity (2.7/10)

@maximthomas

maximthomas commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Doing a research to replace the servicemix bundle in the OpenIDM project

@maximthomas maximthomas mentioned this pull request Jun 8, 2026
Merged
maximthomas
maximthomas reviewed Jun 9, 2026
View reviewed changes
Comment thread pom.xml

@maximthomas maximthomas Jun 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rhino dependency declaration can be removed from the file. It is already declared in the commons project.

@vharseko
Remove Rhino dependency from pom.xml
f0fa597 
Removed dependency for Mozilla Rhino Javascript engine.
@vharseko vharseko requested a review from maximthomas June 9, 2026 12:45
@vharseko vharseko merged commit 2defe55 into master Jun 9, 2026
18 of 19 checks passed
@vharseko vharseko deleted the copilot/update-rhino-dependency-version branch June 9, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maximthomas maximthomas maximthomas approved these changes

Assignees

@vharseko vharseko

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maximthomas @vharseko