Skip to content

Fix CVE-2025-22871 and migrate Lambda runtime to AL2023#27

Open
justint79 wants to merge 1 commit intomasterfrom
BredrockForwarder-CVE-2025-22871
Open

Fix CVE-2025-22871 and migrate Lambda runtime to AL2023#27
justint79 wants to merge 1 commit intomasterfrom
BredrockForwarder-CVE-2025-22871

Conversation

@justint79
Copy link

@justint79 justint79 commented Feb 17, 2026

Summary

  • CVE-2025-22871 (Critical): Bumps Go from 1.22/toolchain 1.23.0 to 1.23/toolchain 1.23.8, resolving the net/http request smuggling vulnerability baked into the compiled binary's stdlib
  • Amazon Linux 2 EOL: Migrates Lambda runtime from provided.al2 to provided.al2023 (AL2 reached end of standard support June 2025)
  • Updates manual deployment instructions in README to reflect the new runtime

Important Note

The CircleCI build image (233765244907.dkr.ecr.us-east-1.amazonaws.com/build:latest) must have Go 1.23.8+ installed for the CVE fix to take effect in production builds. The binary is statically compiled (CGO_ENABLED=0), so the AL2023 runtime change has no compatibility risk.

Files Changed

File Change
go.mod go 1.22 -> go 1.23, toolchain go1.23.0 -> toolchain go1.23.8
template.yaml.tmpl Runtime: provided.al2 -> Runtime: provided.al2023
README.md --runtime provided.al2 -> --runtime provided.al2023

Test Plan

  • go build compiles cleanly
  • All unit tests pass (go test ./...)
  • Verify CI build image has Go 1.23.8+ before merging
  • Deploy to dev environment and validate Lambda execution

Ref: ITSM-816

@justint79
Fix CVE-2025-22871 and migrate Lambda runtime to AL2023
03b15bf 
- Bump Go version to 1.23 / toolchain go1.23.8 to resolve CVE-2025-22871
  (net/http request smuggling vulnerability in Go stdlib)
- Migrate Lambda runtime from provided.al2 to provided.al2023
  (Amazon Linux 2 reached end of standard support June 2025)

Ref: ITSM-816
tuncerkaplankiran
tuncerkaplankiran approved these changes Feb 24, 2026
View reviewed changes
Copy link
Member

@tuncerkaplankiran tuncerkaplankiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After merge verify by installing new version of lambda forwarder as stated in our docs page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuncerkaplankiran tuncerkaplankiran tuncerkaplankiran approved these changes

@baturozgur baturozgur Awaiting requested review from baturozgur baturozgur is a code owner

@ozcelgozde ozcelgozde Awaiting requested review from ozcelgozde ozcelgozde is a code owner

@buraksenn buraksenn Awaiting requested review from buraksenn buraksenn is a code owner

@asimerel asimerel Awaiting requested review from asimerel asimerel is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@justint79 @tuncerkaplankiran