Patch reaper for CVE-2025-12816, CVE-2025-66031 [High] and CVE-2025-66030 [Medium]

[akhila-guruju]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch reaper for CVE-2025-12816, CVE-2025-66031 [High] and CVE-2025-66030 [Medium]

For CVE-2025-12816 [High]:
Patch Modified: No
Upstream patch reference: https://app.codecov.io/gh/digitalbazaar/forge/commit/a5ce91d03df4dcfc025b74a5b7f50389942d49c9?dropdown=coverage&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=digitalbazaar
The PR link, digitalbazaar/forge#1124, says that the above commit fixes CVE.
digitalbazaar/forge@v1.3.1...v1.3.2

For CVE-2025-66031 [High]:
Patch Modified: No
Upstream patch reference: https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451.patch

For CVE-2025-66030 [Medium]:
Patch Modified: Yes (Some files are not patched because they are not available in our codebase)

• the file tests/unit/asn1.js is not available.

Upstream patch reference: https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb.patch

Change Log

• new file: SPECS/reaper/CVE-2025-12816.patch
• new file: SPECS/reaper/CVE-2025-66030.patch
• new file: SPECS/reaper/CVE-2025-66031.patch
• modified: SPECS/reaper/reaper.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-12816
• https://nvd.nist.gov/vuln/detail/CVE-2025-66031
• https://nvd.nist.gov/vuln/detail/CVE-2025-66030

Test Methodology

• Local Build
• patches apply cleanly

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[CBL-Mariner-Bot]

Auto cherry-pick results:

• main ✅ -> [AUTO-CHERRYPICK] Patch reaper for CVE-2025-12816, CVE-2025-66031 [High] and CVE-2025-66030 [Medium] - branch main #15208

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=996139&view=results