You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them.
Alpine released xz-5.6.3-r1 that fixes this vulnerability.
$ docker run -it aquasec/trivy image python:3.13-alpine
2025-04-08T17:42:50Z INFO [vulndb] Need to update DB
2025-04-08T17:42:50Z INFO [vulndb] Downloading vulnerability DB...
2025-04-08T17:42:50Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
62.04 MiB / 62.04 MiB [-----------------------------------------------------------] 100.00% 10.33 MiB p/s 6.2s
2025-04-08T17:42:56Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2025-04-08T17:42:56Z INFO [vuln] Vulnerability scanning is enabled
2025-04-08T17:42:56Z INFO [secret] Secret scanning is enabled
2025-04-08T17:42:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-08T17:42:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2025-04-08T17:42:58Z INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.3.1"
2025-04-08T17:42:58Z INFO Detected OS family="alpine" version="3.21.3"
2025-04-08T17:42:58Z WARN This OS version is not on the EOL list family="alpine" version="3.21"
2025-04-08T17:42:58Z INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=28
2025-04-08T17:42:58Z INFO Number of language-specific files num=1
2025-04-08T17:42:58Z INFO [python-pkg] Detecting vulnerabilities...
2025-04-08T17:42:58Z WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.
python:3.13-alpine (alpine 3.21.3)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs │ CVE-2025-31115 │ HIGH │ fixed │ 5.6.3-r0 │ 5.6.3-r1 │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-31115 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them.
Alpine released xz-5.6.3-r1 that fixes this vulnerability.