azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

[Medium]: Patch to upgrade llhttp from v6.1.1 to v9.1.2 to address CVE-2025-23167

Open durgajagadeesh opened this issue 6 months ago • 13 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [ ] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [ ] Ready to merge
Summary
  • Upgrading llhttp-v6 to llhttp-v9.1.2 is sufficient to resolve CVE-2025-23167. Abhilash has confirmed this, and I have included the security test results in the comments section.
  • Upstream llhttp-v9.1.2 release reference: https://github.com/nodejs/llhttp/releases https://github.com/nodejs/llhttp/archive/refs/tags/release/v9.1.2.tar.gz
Change Log
  • Modified file: nodejs18.spec
  • New file: upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch
  • New file: update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
  • https://nvd.nist.gov/vuln/detail/CVE-2025-23167
Test Methodology

durgajagadeesh avatar Jul 21 '25 03:07 durgajagadeesh

Buddy Build

Kanishk-Bansal avatar Jul 22 '25 06:07 Kanishk-Bansal

Buddy Build

Hi @Kanishk-Bansal, The build got failed, checking for the failure reason. image

-Thank you!

durgajagadeesh avatar Jul 22 '25 11:07 durgajagadeesh

Hi @Kanishk-Bansal and @kgodara912 I have received the security test logs from the MSRC team. Based on these results, Abhilash has confirmed that there is no need to apply any additional CVE fix with this upgrade, as the upgraded patch already includes the CVE fix. Please see the logs below for your reference.

This is the POC abhilash was using : CVE-2025-23167 : HTTP Parser Flaw in Node.js 20 Allows Request Smuggling

Default response without patch : image

Binary with patch throws HTTP 400: image

-Thank you!

durgajagadeesh avatar Aug 06 '25 03:08 durgajagadeesh

@kgodara912, The patch was applied without issues and has been tested successfully on the local VM. image

-Thank you!

durgajagadeesh avatar Aug 09 '25 21:08 durgajagadeesh

Buddy Build

Kanishk-Bansal avatar Aug 12 '25 07:08 Kanishk-Bansal

Buddy Build

Hi @Kanishk-Bansal and @kgodara912, The Buddy Build results were passed, and my patch applied successfully as shown in below reference screenshot. image image

-Thank you!

durgajagadeesh avatar Aug 12 '25 08:08 durgajagadeesh

@Sumynwa. could you please share your review and signoff on this PR if all good?

Malateshk007 avatar Aug 20 '25 05:08 Malateshk007

@Sumynwa. could you please share your review and signoff on this PR if all good?

@Sumynwa, gentle reminder for the review and approval!

Malateshk007 avatar Sep 02 '25 05:09 Malateshk007

@Sumynwa, gentle reminder for the review and approval!

Malateshk007 avatar Sep 08 '25 04:09 Malateshk007

@durgajagadeesh Can you please provide more details on the changes:

From what I can gather: update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch: I see that we have taken partial changes from upstream nodejs llhttp bump to 8.1.0

upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch: This looks like a patch from upstream bump to 9.1.2, but I see we dont have changes to test files.

is this correct? In summary, I am trying to understand how are we trying to fix the CVE? upgrade llhttp to 9.1.2, if so how/what changes are we taking?

@kgodara912 @Kanishk-Bansal

Sumynwa avatar Sep 18 '25 09:09 Sumynwa

@durgajagadeesh Can you please provide more details on the changes:

From what I can gather: update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch: I see that we have taken partial changes from upstream nodejs llhttp bump to 8.1.0

upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch: This looks like a patch from upstream bump to 9.1.2, but I see we dont have changes to test files.

is this correct? In summary, I am trying to understand how are we trying to fix the CVE? upgrade llhttp to 9.1.2, if so how/what changes are we taking?

@kgodara912 @Kanishk-Bansal

@Sumynwa. You're right — the update_callback_pointers... patch includes partial changes from the nodejs, 3.0-dev branch, specifically targeting the callback pointer structure to resolve http parser errors. The upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch is based on the upstream bump suggested in CVE Triage Comments. image

I have deliberately omitted test file modifications to ensure the patch remains minimal and focused on runtime behavior. Existing tests have not been removed, nor have new tests been added, as the Upstream reference patch does not include changes to the test directory. To resolve CVE-2025-23167, we are upgrading to v9.1.2, which provides essential security updates. I will provide a summary of the implemented changes and the rationale in the next comment on the PR shortly.

durgajagadeesh avatar Sep 19 '25 05:09 durgajagadeesh

@durgajagadeesh Can you please provide more details on the changes: From what I can gather: update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch: I see that we have taken partial changes from upstream nodejs llhttp bump to 8.1.0 upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch: This looks like a patch from upstream bump to 9.1.2, but I see we dont have changes to test files. is this correct? In summary, I am trying to understand how are we trying to fix the CVE? upgrade llhttp to 9.1.2, if so how/what changes are we taking? @kgodara912 @Kanishk-Bansal

@Sumynwa. You're right — the update_callback_pointers... patch includes partial changes from the nodejs, 3.0-dev branch, specifically targeting the callback pointer structure to resolve http parser errors. The upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch is based on the upstream bump suggested in CVE Triage Comments. image

I have deliberately omitted test file modifications to ensure the patch remains minimal and focused on runtime behavior. Existing tests have not been removed, nor have new tests been added, as the Upstream reference patch does not include changes to the test directory. To resolve CVE-2025-23167, we are upgrading to v9.1.2, which provides essential security updates. I will provide a summary of the implemented changes and the rationale in the next comment on the PR shortly.

Hi @Sumynwa, Please see the steps I followed to create these patches:

  1. upgrade_llhttp-v6.1.1_to_llhttp-v9.1.2.patch: This patch was developed incrementally to ensure only the llhttp dependency (for nodejs18 in branch 2.0) was upgraded. I used the upstream llhttp-v9.1.2 source file(https://github.com/nodejs/llhttp/archive/refs/tags/release/v9.1.2.tar.gz).
image

After downloading the llhttp-v9.1.2 source, I compared the source files between llhttp-v6.1.1 and llhttp-v9.1.2 and confirmed that the differences were properly applied as shown below. If could see the file difference between the below screenshot left side and right side!

image Left side: llhttp-v9.1.2 upstream source files.

Right side: llhttp-v6.1.1 from 2.0 branch.

The initial patch summary as shown below. image

And the same changes has been uploaded into the PR. image

  1. update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch: For the node parsing error fix (update_callBack_pointers_in_llhttp_settings_t_structure_fix_http_parser_error.patch), I previously encountered a llhttp node parser error in Node.js 18 (branch 2.0) after applying the upgrade patch. This issue did not occur in the Node.js 3.0-dev branch with the same patch. Upon investigation, I identified the issue was related to the structure members parser file and resolved it by using the structure from the 3.0-dev branch. image

The left file: nodejs18, 2.0 branch the right side: nodejs 3.0-dev branch.

I have used the parsing structure members from the 3.0-dev branch, as the llhttp upgrade has been functioning smoothly there. Therefore, I referenced this working structure to address the parser error.

Additionally, I have received positive results from the MSRC team after providing the binary RPM from the local VM build. And They have verified that the llhttp upgrade effectively addresses this CVE-2025-23167. Binary with patch throws HTTP 400: image

kindly let me know if I have missed anything or if there is anything that still needs to be addressed. -Thank you!

durgajagadeesh avatar Sep 19 '25 13:09 durgajagadeesh

Rebase has been completed successfully. image

durgajagadeesh avatar Nov 18 '25 12:11 durgajagadeesh