Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix known vulnerabilities (scanner: trivy) #576

Description

@axi92

Would it be possible to plan the fix of this vulnerabilities?

$ trivy repository https://github.com/docker/metadata-action.git
2025-12-15T13:19:58+01:00       INFO    [vuln] Vulnerability scanning is enabled
2025-12-15T13:19:58+01:00       INFO    [secret] Secret scanning is enabled
2025-12-15T13:19:58+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-12-15T13:19:58+01:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
Enumerating objects: 1085, done.
Counting objects: 100% (1085/1085), done.
Compressing objects: 100% (566/566), done.
Total 1085 (delta 746), reused 750 (delta 462), pack-reused 0 (from 0)
2025-12-15T13:20:09+01:00       INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-12-15T13:20:09+01:00       INFO    Number of language-specific files       num=1
2025-12-15T13:20:09+01:00       INFO    [yarn] Detecting vulnerabilities...

Report Summary

┌───────────┬──────┬─────────────────┬─────────┐
│  Target   │ Type │ Vulnerabilities │ Secrets │
├───────────┼──────┼─────────────────┼─────────┤
│ yarn.lock │ yarn │        9        │    -    │
└───────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


yarn.lock (yarn)

Total: 9 (UNKNOWN: 0, LOW: 2, MEDIUM: 3, HIGH: 2, CRITICAL: 2)

┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request       │ CVE-2025-25290 │ MEDIUM   │ fixed  │ 8.1.4             │ 9.2.1, 8.4.1                │ octokit/request: @octokit/request has a Regular Expression   │
│                        │                │          │        │                   │                             │ in fetchWrapper that Leads to ReDoS...                       │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-25290                   │
├────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request-error │ CVE-2025-25289 │          │        │ 5.0.1             │ 5.1.1, 6.1.7                │ @octokit/request-error: @octokit/request-error has a Regular │
│                        │                │          │        │                   │                             │ Expression in index that Leads to ReDoS...                   │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-25289                   │
├────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion        │ CVE-2025-5889  │ LOW      │        │ 2.0.1             │ 2.0.2, 1.1.12, 3.0.1, 4.0.1 │ brace-expansion: juliangruber brace-expansion index.js       │
│                        │                │          │        │                   │                             │ expand redos                                                 │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-5889                    │
├────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ form-data              │ CVE-2025-7783  │ CRITICAL │        │ 3.0.1             │ 2.5.4, 3.0.4, 4.0.4         │ form-data: Unsafe random function in form-data               │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-7783                    │
│                        │                │          │        ├───────────────────┤                             │                                                              │
│                        │                │          │        │ 4.0.0             │                             │                                                              │
│                        │                │          │        │                   │                             │                                                              │
├────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ glob                   │ CVE-2025-64756 │ HIGH     │        │ 10.3.15           │ 11.1.0, 10.5.0              │ glob: glob: Command Injection Vulnerability via Malicious    │
│                        │                │          │        │                   │                             │ Filenames                                                    │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-64756                   │
│                        │                │          │        ├───────────────────┤                             │                                                              │
│                        │                │          │        │ 11.0.3            │                             │                                                              │
│                        │                │          │        │                   │                             │                                                              │
│                        │                │          │        │                   │                             │                                                              │
├────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ undici                 │ CVE-2025-22150 │ MEDIUM   │        │ 5.28.4            │ 5.28.5, 6.21.1, 7.2.3       │ undici: Undici Uses Insufficiently Random Values             │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-22150                   │
│                        ├────────────────┼──────────┤        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2025-47279 │ LOW      │        │                   │ 5.29.0, 6.21.2, 7.5.0       │ undici: Undici Memory Leak with Invalid Certificates         │
│                        │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-47279                   │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions