CVE-2025-49844 Redis vulnerability score 10.0 not detected #9595
-
IDsCVE-2025-49844 DescriptionHi, Reproduction Steps1. run `docker run aquasec/trivy image --debug library/redis:7.4.5-alpine`
2. no CVE detectedTargetContainer Image ScannerVulnerability Target OSWSL Debug Outputdocker run aquasec/trivy image --debug library/redis:7.4.5-alpine
2025-10-06T10:49:28Z DEBUG No plugins loaded
2025-10-06T10:49:28Z DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-06T10:49:28Z DEBUG Cache dir dir="/root/.cache/trivy"
2025-10-06T10:49:28Z DEBUG Cache dir dir="/root/.cache/trivy"
2025-10-06T10:49:28Z DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-06T10:49:28Z DEBUG Ignore statuses statuses=[]
2025-10-06T10:49:28Z DEBUG [vulndb] There is no db file
2025-10-06T10:49:28Z DEBUG [vulndb] There is no valid metadata file err.message="file open error" err.err="file open error: open /root/.cache/trivy/db/metadata.json: no such file or directory" err.time=2025-10-06T10:49:28.48900807Z err.trace="01K6WJ805ASVFTVF6SHWWSMVYP" err.context.file_path="/root/.cache/trivy/db/metadata.json" err.stacktrace="Oops: file open error\n --- at /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/metadata/metadata.go:43 Client.Get()\n --- at /home/runner/work/trivy/trivy/pkg/db/db.go:105 Client.NeedsUpdate()\n --- at /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:33 DownloadDB()\n --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:324 runner.initDB()\n --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:135 NewRunner()\n --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:413 run()\n --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:396 Run()\n --- at /home/runner/work/trivy/trivy/pkg/commands/app.go:317 NewImageCommand.func2()\n --- at /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 Command.execute()\n --- at /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 Command.ExecuteC()"
2025-10-06T10:49:28Z INFO [vulndb] Need to update DB
2025-10-06T10:49:28Z INFO [vulndb] Downloading vulnerability DB...
2025-10-06T10:49:28Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-10-06T10:49:28Z DEBUG Created process-specific temp directory path="/tmp/trivy-1"
2.98 MiB / 72.09 MiB [-->____________________________________________________________] 4.14% ? p/s ?6.77 MiB / 72.09 MiB [----->_________________________________________________________] 9.38% ? p/s ?10.91 MiB / 72.09 MiB [--------->___________________________________________________] 15.13% ? p/s ?14.62 MiB / 72.09 MiB [--------->______________________________________] 20.29% 19.40 MiB p/s ETA 2s18.31 MiB / 72.09 MiB [------------>___________________________________] 25.40% 19.40 MiB p/s ETA 2s21.70 MiB / 72.09 MiB [-------------->_________________________________] 30.10% 19.40 MiB p/s ETA 2s24.42 MiB / 72.09 MiB [---------------->_______________________________] 33.87% 19.20 MiB p/s ETA 2s27.12 MiB / 72.09 MiB [------------------>_____________________________] 37.62% 19.20 MiB p/s ETA 2s29.48 MiB / 72.09 MiB [------------------->____________________________] 40.90% 19.20 MiB p/s ETA 2s31.92 MiB / 72.09 MiB [--------------------->__________________________] 44.27% 18.77 MiB p/s ETA 2s34.37 MiB / 72.09 MiB [---------------------->_________________________] 47.68% 18.77 MiB p/s ETA 2s36.57 MiB / 72.09 MiB [------------------------>_______________________] 50.73% 18.77 MiB p/s ETA 1s38.78 MiB / 72.09 MiB [------------------------->______________________] 53.79% 18.30 MiB p/s ETA 1s41.31 MiB / 72.09 MiB [--------------------------->____________________] 57.30% 18.30 MiB p/s ETA 1s44.86 MiB / 72.09 MiB [----------------------------->__________________] 62.22% 18.30 MiB p/s ETA 1s48.86 MiB / 72.09 MiB [-------------------------------->_______________] 67.77% 18.20 MiB p/s ETA 1s51.14 MiB / 72.09 MiB [---------------------------------->_____________] 70.94% 18.20 MiB p/s ETA 1s54.11 MiB / 72.09 MiB [------------------------------------>___________] 75.05% 18.20 MiB p/s ETA 0s58.55 MiB / 72.09 MiB [-------------------------------------->_________] 81.22% 18.07 MiB p/s ETA 0s62.50 MiB / 72.09 MiB [----------------------------------------->______] 86.70% 18.07 MiB p/s ETA 0s64.82 MiB / 72.09 MiB [------------------------------------------->____] 89.91% 18.07 MiB p/s ETA 0s68.02 MiB / 72.09 MiB [--------------------------------------------->__] 94.35% 17.92 MiB p/s ETA 0s71.19 MiB / 72.09 MiB [----------------------------------------------->] 98.75% 17.92 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 17.92 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 17.20 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 17.20 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 17.20 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 16.09 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 16.09 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 16.09 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 15.05 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [---------------------------------------------->] 100.00% 15.05 MiB p/s ETA 0s72.09 MiB / 72.09 MiB [-------------------------------------------------] 100.00% 11.61 MiB p/s 6.4s2025-10-06T10:49:35Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-10-06T10:49:35Z DEBUG Updating database metadata...
2025-10-06T10:49:35Z DEBUG DB info schema=2 updated_at=2025-10-06T06:28:50.025769971Z next_update=2025-10-07T06:28:50.025769701Z downloaded_at=2025-10-06T10:49:35.259119197Z
2025-10-06T10:49:35Z DEBUG [pkg] Package types types=[os library]
2025-10-06T10:49:35Z DEBUG [pkg] Package relationships relationships=[unknown root workspace direct indirect]
2025-10-06T10:49:35Z INFO [vuln] Vulnerability scanning is enabled
2025-10-06T10:49:35Z INFO [secret] Secret scanning is enabled
2025-10-06T10:49:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-06T10:49:35Z INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-06T10:49:35Z DEBUG Initializing scan cache... type="fs"
2025-10-06T10:49:35Z DEBUG [notification] Running version check
2025-10-06T10:49:35Z DEBUG [notification] Version check completed latest_version="0.67.0"
2025-10-06T10:49:36Z DEBUG [image] Image found image="library/redis:7.4.5-alpine" source="remote"
2025-10-06T10:49:36Z DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2025-10-06T10:49:36Z DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2025-10-06T10:49:36Z DEBUG [image] Detected image ID image_id="sha256:f218e591b571a4129aa29a8566b597d849fba21af7be853d31b03122b20db5e9"
2025-10-06T10:49:36Z DEBUG [image] Detected diff ID diff_ids=[sha256:7003d23cc2176ec98ba2f8b3b4b9b5f144ef370e39bfcf6275a92b5064bc9261 sha256:ce338844277c82626a4802033421174baf4f72e5b45b17c14050b0b7106e01c5 sha256:f836eaa3d735583fccc42ed96255e2e469e6a92a8bd377f1abb5cf037b51af70 sha256:d06e921464af004975f9ed478769c27c52771888bd24a0bb1c4b4cf68fd7dc64 sha256:d9a3a3ee289cc02b964a976638beda44e12c80c26fe53e5525b6dd371de4a037 sha256:314667c8c3aa8788f80613e5d5bcf01f9828e9ab3bc88166678edc9d3f543570 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:9021b8e2e3fc6238bc0c7b15516230fe74c4d95c471ae86ec92fb60df97f6f95]
2025-10-06T10:49:36Z DEBUG [image] Detected base layers diff_ids=[sha256:7003d23cc2176ec98ba2f8b3b4b9b5f144ef370e39bfcf6275a92b5064bc9261]
2025-10-06T10:49:36Z DEBUG [image] Missing image ID in cache image_id="sha256:f218e591b571a4129aa29a8566b597d849fba21af7be853d31b03122b20db5e9"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:7003d23cc2176ec98ba2f8b3b4b9b5f144ef370e39bfcf6275a92b5064bc9261"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:ce338844277c82626a4802033421174baf4f72e5b45b17c14050b0b7106e01c5"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:d06e921464af004975f9ed478769c27c52771888bd24a0bb1c4b4cf68fd7dc64"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:f836eaa3d735583fccc42ed96255e2e469e6a92a8bd377f1abb5cf037b51af70"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:d9a3a3ee289cc02b964a976638beda44e12c80c26fe53e5525b6dd371de4a037"
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/apk/world"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/apk/world" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=112 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=112 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/installed"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/installed" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=42129 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/triggers"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/triggers" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/shadow"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/shadow" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/passwd"
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/passwd-"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/passwd" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/passwd-" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/shadow" content_len=287 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/group"
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/group-"
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/shadow" content_len=287 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/group-" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/passwd" content_len=746 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/group-" content_len=524 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/passwd" content_len=746 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/group" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/group" content_len=529 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/passwd-" content_len=702 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/group" content_len=529 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/group-" content_len=524 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/passwd-" content_len=702 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/shadow-"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/shadow-" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/shadow-" content_len=260 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/shadow-" content_len=260 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=4096 num_rules=87
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:314667c8c3aa8788f80613e5d5bcf01f9828e9ab3bc88166678edc9d3f543570"
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/apk/world"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/apk/world" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=81 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=81 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/installed"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/installed" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=41954 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/triggers"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/triggers" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=4096 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/etc/apk/world"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/etc/apk/world" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=81 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/etc/apk/world" content_len=81 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/installed"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/installed" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=41954 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] Using streaming scanner file_path="/lib/apk/db/triggers"
2025-10-06T10:49:36Z DEBUG [secret] scanStream called file_path="/lib/apk/db/triggers" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/triggers" content_len=95 num_rules=87
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2025-10-06T10:49:36Z DEBUG [secret] scanChunk called file_path="/lib/apk/db/installed" content_len=4096 num_rules=87
2025-10-06T10:49:36Z DEBUG [gobinary] Unable to detect main module's dependency version - `(devel)` is used dependency="github.com/tianon/gosu"
2025-10-06T10:49:36Z DEBUG [gobinary] Parsing dependency's build info settings dependency="github.com/tianon/gosu" -ldflags=[-d -w]
2025-10-06T10:49:36Z DEBUG [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used. dependency="github.com/tianon/gosu"
2025-10-06T10:49:36Z DEBUG [image] Missing diff ID in cache diff_id="sha256:9021b8e2e3fc6238bc0c7b15516230fe74c4d95c471ae86ec92fb60df97f6f95"
2025-10-06T10:49:37Z DEBUG [secret] Using streaming scanner file_path="/usr/local/bin/docker-entrypoint.sh"
2025-10-06T10:49:37Z DEBUG [secret] scanStream called file_path="/usr/local/bin/docker-entrypoint.sh" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:37Z DEBUG [secret] scanChunk called file_path="/usr/local/bin/docker-entrypoint.sh" content_len=661 num_rules=87
2025-10-06T10:49:37Z DEBUG [secret] scanChunk called file_path="/usr/local/bin/docker-entrypoint.sh" content_len=661 num_rules=87
2025-10-06T10:49:37Z DEBUG [secret] Using streaming scanner file_path="config.json"
2025-10-06T10:49:37Z DEBUG [secret] scanStream called file_path="config.json" buffer_size=65536 overlap_size=4096
2025-10-06T10:49:37Z DEBUG [secret] scanChunk called file_path="config.json" content_len=8370 num_rules=87
2025-10-06T10:49:37Z DEBUG [secret] scanChunk called file_path="config.json" content_len=4096 num_rules=87
2025-10-06T10:49:37Z DEBUG No secrets found in container image config
2025-10-06T10:49:37Z INFO Detected OS family="alpine" version="3.21.4"
2025-10-06T10:49:37Z INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=17
2025-10-06T10:49:37Z INFO Number of language-specific files num=1
2025-10-06T10:49:37Z INFO [gobinary] Detecting vulnerabilities...
2025-10-06T10:49:37Z DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/gosu"
2025-10-06T10:49:37Z DEBUG [gobinary] Skipping vulnerability scan as no version is detected for the package name="github.com/tianon/gosu"
2025-10-06T10:49:37Z WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.67/docs/scanner/vulnerability#severity-selection for details.
2025-10-06T10:49:37Z DEBUG Specified ignore file does not exist file=".trivyignore"
2025-10-06T10:49:37Z DEBUG [vex] VEX filtering is disabled
2025-10-06T10:49:37Z DEBUG Cleaning up temp directory path="/tmp/trivy-1"
Report Summary
┌────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ library/redis:7.4.5-alpine (alpine 3.21.4) │ alpine │ 6 │ - │
├────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gosu │ gobinary │ 63 │ - │
└────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
library/redis:7.4.5-alpine (alpine 3.21.4)
==========================================
Total: 6 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2025-9230 │ MEDIUM │ fixed │ 3.3.4-r0 │ 3.3.5-r0 │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9230 │
│ ├───────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9231 │ │ │ │ │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9231 │
│ ├───────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9232 │ LOW │ │ │ │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9232 │
├────────────┼───────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2025-9230 │ MEDIUM │ │ │ │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9230 │
│ ├───────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9231 │ │ │ │ │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9231 │
│ ├───────────────┼──────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-9232 │ LOW │ │ │ │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-9232 │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
usr/local/bin/gosu (gobinary)
=============================
Total: 63 (UNKNOWN: 0, LOW: 1, MEDIUM: 27, HIGH: 32, CRITICAL: 3)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2023-24538 │ CRITICAL │ fixed │ v1.18.2 │ 1.19.8, 1.20.3 │ golang: html/template: backticks not treated as string │
│ │ │ │ │ │ │ delimiters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24538 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24540 │ │ │ │ 1.19.9, 1.20.4 │ golang: html/template: improper handling of JavaScript │
│ │ │ │ │ │ │ whitespace │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24540 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27664 │ HIGH │ │ │ 1.18.6, 1.19.1 │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-28131 │ │ │ │ 1.17.12, 1.18.4 │ golang: encoding/xml: stack exhaustion in Decoder.Skip │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28131 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2879 │ │ │ │ 1.18.7, 1.19.2 │ golang: archive/tar: github.com/vbatts/tar-split: unbounded │
│ │ │ │ │ │ │ memory consumption when reading headers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2879 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2880 │ │ │ │ │ golang: net/http/httputil: ReverseProxy should not forward │
│ │ │ │ │ │ │ unparseable query parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2880 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29804 │ │ │ │ 1.17.11, 1.18.3 │ ELSA-2022-17957: ol8addon security update (IMPORTANT) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29804 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30580 │ │ │ │ │ golang: os/exec: Code injection in Cmd.Start │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30580 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30630 │ │ │ │ 1.17.12, 1.18.4 │ golang: io/fs: stack exhaustion in Glob │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30630 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30631 │ │ │ │ │ golang: compress/gzip: stack exhaustion in Reader.Read │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30631 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30632 │ │ │ │ │ golang: path/filepath: stack exhaustion in Glob │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30632 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30633 │ │ │ │ │ golang: encoding/xml: stack exhaustion in Unmarshal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30633 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30634 │ │ │ │ 1.17.11, 1.18.3 │ ELSA-2022-17957: ol8addon security update (IMPORTANT) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30634 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30635 │ │ │ │ 1.17.12, 1.18.4 │ golang: encoding/gob: stack exhaustion in Decoder.Decode │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30635 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-32189 │ │ │ │ 1.17.13, 1.18.5 │ golang: math/big: decoding big.Float and big.Rat types can │
│ │ │ │ │ │ │ panic if the encoded... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32189 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41715 │ │ │ │ 1.18.7, 1.19.2 │ golang: regexp/syntax: limit memory used by parsing regexps │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41715 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41716 │ │ │ │ 1.18.8, 1.19.3 │ Due to unsanitized NUL values, attackers may be able to │
│ │ │ │ │ │ │ maliciously se... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41716 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41720 │ │ │ │ 1.18.9, 1.19.4 │ golang: os, net/http: avoid escapes from os.DirFS and │
│ │ │ │ │ │ │ http.Dir on Windows │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41720 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41722 │ │ │ │ 1.19.6, 1.20.1 │ golang: path/filepath: path-filepath filepath.Clean path │
│ │ │ │ │ │ │ traversal │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41722 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41723 │ │ │ │ │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│ │ │ │ │ │ │ decoding │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41724 │ │ │ │ │ golang: crypto/tls: large handshake records may cause panics │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41724 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41725 │ │ │ │ │ golang: net/http, mime/multipart: denial of service from │
│ │ │ │ │ │ │ excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41725 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24534 │ │ │ │ 1.19.8, 1.20.3 │ golang: net/http, net/textproto: denial of service from │
│ │ │ │ │ │ │ excessive memory allocation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24534 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24536 │ │ │ │ │ golang: net/http, net/textproto, mime/multipart: denial of │
│ │ │ │ │ │ │ service from excessive resource consumption │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24536 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24537 │ │ │ │ │ golang: go/parser: Infinite loop in parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24537 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24539 │ │ │ │ 1.19.9, 1.20.4 │ golang: html/template: improper sanitization of CSS values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24539 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29400 │ │ │ │ │ golang: html/template: improper handling of empty HTML │
│ │ │ │ │ │ │ attributes │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29400 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29403 │ │ │ │ 1.19.10, 1.20.5 │ golang: runtime: unexpected behavior of setuid/setgid │
│ │ │ │ │ │ │ binaries │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29403 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39325 │ │ │ │ 1.20.10, 1.21.3 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │
│ │ │ │ │ │ │ prefix as... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45287 │ │ │ │ 1.20.0 │ golang: crypto/tls: Timing Side Channel attack in RSA based │
│ │ │ │ │ │ │ TLS key exchanges.... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45287 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-47907 │ │ │ │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47907 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-1705 │ MEDIUM │ │ │ 1.17.12, 1.18.4 │ golang: net/http: improper sanitization of Transfer-Encoding │
│ │ │ │ │ │ │ header │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1705 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-1962 │ │ │ │ │ golang: go/parser: stack exhaustion in all Parse* functions │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1962 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-32148 │ │ │ │ │ golang: net/http/httputil: NewSingleHostReverseProxy - omit │
│ │ │ │ │ │ │ X-Forwarded-For not working │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32148 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41717 │ │ │ │ 1.18.9, 1.19.4 │ golang: net/http: excessive memory growth in a Go server │
│ │ │ │ │ │ │ accepting HTTP/2 requests... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41717 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-24532 │ │ │ │ 1.19.7, 1.20.2 │ golang: crypto/internal/nistec: specific unreduced P-256 │
│ │ │ │ │ │ │ scalars produce incorrect results │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-24532 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29406 │ │ │ │ 1.19.11, 1.20.6 │ golang: net/http: insufficient sanitization of Host header │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29406 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-29409 │ │ │ │ 1.19.12, 1.20.7, 1.21.0-rc.4 │ golang: crypto/tls: slow verification of certificate chains │
│ │ │ │ │ │ │ containing large RSA keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29409 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39318 │ │ │ │ 1.20.8, 1.21.1 │ golang: html/template: improper handling of HTML-like │
│ │ │ │ │ │ │ comments within script contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39318 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39319 │ │ │ │ │ golang: html/template: improper handling of special tags │
│ │ │ │ │ │ │ within script contexts │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39319 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39326 │ │ │ │ 1.20.12, 1.21.5 │ golang: net/http/internal: Denial of Service (DoS) via │
│ │ │ │ │ │ │ Resource Consumption via HTTP requests... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39326 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45284 │ │ │ │ 1.20.11, 1.21.4 │ On Windows, The IsLocal function does not correctly detect │
│ │ │ │ │ │ │ reserved de ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45284 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45289 │ │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │
│ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: golang: mime/multipart: golang: │
│ │ │ │ │ │ │ net/textproto: memory exhaustion in │
│ │ │ │ │ │ │ Request.ParseMultipartForm │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │
│ │ │ │ │ │ │ unknown public key algorithm... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │
│ │ │ │ │ │ │ handled │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │
│ │ │ │ │ │ │ methods may break template escaping │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24791 │ │ │ │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│ │ │ │ │ │ │ handling in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34155 │ │ │ │ 1.22.7, 1.23.1 │ go/parser: golang: Calling any of the Parse functions │
│ │ │ │ │ │ │ containing deeply nested literals... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34158 │ │ │ │ │ go/build/constraint: golang: Calling Parse on a "// +build" │
│ │ │ │ │ │ │ build tag line with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34158 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45336 │ │ │ │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-0913 │ │ │ │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│ │ │ │ │ │ │ in os in syscall... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-0913 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22871 │ │ │ │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│ │ │ │ │ │ │ chunked data in net/http... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22871 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-4673 │ │ │ │ 1.23.10, 1.24.4 │ net/http: Sensitive headers not cleared on cross-origin │
│ │ │ │ │ │ │ redirect in net/http │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-4673 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-47906 │ │ │ │ 1.23.12, 1.24.6 │ os/exec: Unexpected paths returned from LookPath in os/exec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47906 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-30629 │ LOW │ │ │ 1.17.11, 1.18.3 │ golang: crypto/tls: session tickets lack random │
│ │ │ │ │ │ │ ticket_age_add │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30629 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘VersionVersion: 0.67.0Checklist
|
Beta Was this translation helpful? Give feedback.
Answered by
DmitriyLewen
Oct 7, 2025
Replies: 2 comments 6 replies
-
|
Hello @bedla The redis binary is downloaded from the release page in this image. Trivy only supports scanning binaries built in Go and Rust. Related links:
Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
5 replies
-
|
hmm I see. So the only (OSS) solution might be them to put SBOM to the layer for Trivy to pick it up, right? |
Beta Was this translation helpful? Give feedback.
-
|
yeah. Add SBOM or install |
Beta Was this translation helpful? Give feedback.
-
|
thaks a lot 👍 |
Beta Was this translation helpful? Give feedback.
-
|
just for the record, same problem with Valkey (Redis fork) Image
report |
Beta Was this translation helpful? Give feedback.
-
|
I have reported it to Redis to consider SBOM support here redis/docker-library-redis#482 |
Beta Was this translation helpful? Give feedback.
Answer selected by
bedla
-
|
I have also tried to scan against this CVE-2025-49844 in the image from bitnami 'bitnamilegacy/redis:8.0.3-debian-12-r3'. Still the CVE is not detected but I can see other vulnerabilities as detected e.g. CVE-2025-46817 from '/opt/binami/redis'. I'm attaching the JSON output here trivy-scan.json |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
But |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello @bedla
Thanks for your report!
The redis binary is downloaded from the release page in this image.
Trivy only supports scanning binaries built in Go and Rust.
Therefore, Trivy does not detect this vulnerability.
Related links:
Regards, Dmitriy