Open
Description
Expected Behavior
No more CVEs found
Actual Behavior
There are some CVEs found from the latest Temporal image:
temporalio/server:1.27.1
Steps to Reproduce the Problem
Pull the latest image temporalio/server:1.27.1 from Dockerhub
Scan the image with any vulnerability scanner
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | FIX IN |
|---|---|---|---|---|---|
| CVE-2024-2689 | medium | 4.40 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | 1.20.5, 1.21.6, 1.22.7 |
| CVE-2023-3485 | low | 3.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | 1.20.0 |
| CVE-2025-22870(https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTPHTTPPROXY-9058601) | HIGH | 8.8 | golang.org/x/net/http/httpproxy | v0.34.0 | 0.36.0 |
| CVE-2025-22868 (https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594) | HIGH | 8.7 | golang.org/x/oauth2/jws | v0.25.0 | 0.27.0 |
| CVE-2025-27144, GHSA-c6gw-w398-hv78 | MEDIUM | 6.9 | github.com/go-jose/go-jose/v4 | v4.0.4 | 4.0.5 |
| CVE-2024-44337 | MEDIUM | 6.9 | github.com/gomarkdown/markdown/parser | v0.0.0-20241105142532-d03b89096d81 | N/A |
| CVE-2024-51744, GHSA-29wx-vh33-7x7r | LOW | 2.3 | github.com/golang-jwt/jwt | v3.2.2+incompatible | N/A |