Closed
Description
The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them.
Alpine released xz-5.6.3-r1 that fixes this vulnerability.
$ docker run -it aquasec/trivy image python:3.13-alpine
2025-04-08T17:42:50Z INFO [vulndb] Need to update DB
2025-04-08T17:42:50Z INFO [vulndb] Downloading vulnerability DB...
2025-04-08T17:42:50Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
62.04 MiB / 62.04 MiB [-----------------------------------------------------------] 100.00% 10.33 MiB p/s 6.2s
2025-04-08T17:42:56Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2025-04-08T17:42:56Z INFO [vuln] Vulnerability scanning is enabled
2025-04-08T17:42:56Z INFO [secret] Secret scanning is enabled
2025-04-08T17:42:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-08T17:42:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2025-04-08T17:42:58Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.3.1"
2025-04-08T17:42:58Z INFO Detected OS family="alpine" version="3.21.3"
2025-04-08T17:42:58Z WARN This OS version is not on the EOL list family="alpine" version="3.21"
2025-04-08T17:42:58Z INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=28
2025-04-08T17:42:58Z INFO Number of language-specific files num=1
2025-04-08T17:42:58Z INFO [python-pkg] Detecting vulnerabilities...
2025-04-08T17:42:58Z WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.
python:3.13-alpine (alpine 3.21.3)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs │ CVE-2025-31115 │ HIGH │ fixed │ 5.6.3-r0 │ 5.6.3-r1 │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-31115 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Metadata
Metadata
Assignees
Labels
No labels