Skip to content

10 fixable High severity vulnerabilities in docker image. #2692

New issue
New issue
Open
Open
10 fixable High severity vulnerabilities in docker image.#2692
Labels
Type: Bug
@yarongol

Description

@yarongol
yarongol
opened on May 21, 2025

Describe the bug
There are 10 high security vulnerabilities in the latest docker image

Minimal reproducible OpenAPI snippet(if possible)

> trivy image redocly/redoc --ignore-unfixed --severity HIGH,CRITICAL
2025-05-21T20:23:46+03:00	INFO	[vuln] Vulnerability scanning is enabled
2025-05-21T20:23:46+03:00	INFO	[secret] Secret scanning is enabled
2025-05-21T20:23:46+03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-21T20:23:46+03:00	INFO	[secret] Please see also https://trivy.dev/v0.61/docs/scanner/secret#recommendation for faster secret detection
2025-05-21T20:23:48+03:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-05-21T20:23:48+03:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=67
2025-05-21T20:23:48+03:00	INFO	Number of language-specific files	num=0
2025-05-21T20:23:48+03:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌───────────────────────────────┬────────┬─────────────────┬─────────┐
│            Target             │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────┼────────┼─────────────────┼─────────┤
│ redocly/redoc (alpine 3.21.3) │ alpine │       10        │    -    │
└───────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


redocly/redoc (alpine 3.21.3)

Total: 10 (HIGH: 10, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ c-ares   │ CVE-2025-31498 │ HIGH     │ fixed  │ 1.34.3-r0         │ 1.34.5-r0     │ c-ares: c-ares has a use-after-free in read_answers()        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-31498                   │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2024-8176  │          │        │ 2.6.4-r0          │ 2.7.0-r0      │ libexpat: expat: Improper Restriction of XML Entity          │
│          │                │          │        │                   │               │ Expansion Depth in libexpat                                  │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-8176                    │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2  │ CVE-2024-56171 │          │        │ 2.13.4-r3         │ 2.13.4-r4     │ libxml2: Use-After-Free in libxml2                           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-56171                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-24928 │          │        │                   │               │ libxml2: Stack-based buffer overflow in xmlSnprintfElements  │
│          │                │          │        │                   │               │ of libxml2                                                   │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-24928                   │
│          ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-27113 │          │        │                   │ 2.13.4-r5     │ libxml2: NULL Pointer Dereference in libxml2 xmlPatMatch     │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27113                   │
│          ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-32414 │          │        │                   │ 2.13.4-r6     │ libxml2: Out-of-Bounds Read in libxml2                       │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-32414                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-32415 │          │        │                   │               │ libxml2: Out-of-bounds Read in xmlSchemaIDCFillNodeTables    │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-32415                   │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxslt  │ CVE-2024-55549 │          │        │ 1.1.42-r1         │ 1.1.42-r2     │ libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)  │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-55549                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-24855 │          │        │                   │               │ libxslt: Use-After-Free in libxslt numbers.c                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-24855                   │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs  │ CVE-2025-31115 │          │        │ 5.6.3-r0          │ 5.6.3-r1      │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-31115                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type: Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions