Scanning is missing a reported CVE in ASP.NET Core 6

[sirredbeard]

Description

trivy image --severity HIGH,CRITICAL mcr.microsoft.com/dotnet/aspnet:6.0 detects CVE-2025-24070 in ASP.NET Core 6, but not CVE-2025-7326.

Trivy should be detecting CVE-2025-7326 in scans of ASP.NET Core 6, but it is not.

Trivy is detecting CVE-2025-24070. CVE-2025-24070 doesn't actually include ASP.NET Core 6 in the affected version ranges, however the GHSA entry for CVE-2025-24070 was updated to include 6 because 6 is affected as well, so it's appropriate that Trivy report CVE-2025-2407 too.

CVE-2025-24070 was reported first, then the GHSA was updated, then CVE-2025-7326 was filed separately to directly address ASP.NET Core 6.

Desired Behavior

Trivy scans should report both CVE-2025-24070 and CVE-2025-7326 when ASP.NET Core 6 is found.

Actual Behavior

Only CVE-2025-24070 is being reported.

Reproduction Steps

1. trivy image --severity HIGH,CRITICAL mcr.microsoft.com/dotnet/aspnet:6.0
2. Review results

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image --severity HIGH,CRITICAL mcr.microsoft.com/dotnet/aspnet:6.0 --debug
2025-07-28T15:02:25-04:00       DEBUG   No plugins loaded
2025-07-28T15:02:25-04:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-28T15:02:25-04:00       DEBUG   Cache dir       dir="/home/hayden/.cache/trivy"
2025-07-28T15:02:25-04:00       DEBUG   Cache dir       dir="/home/hayden/.cache/trivy"
2025-07-28T15:02:25-04:00       DEBUG   Parsed severities       severities=[HIGH CRITICAL]
2025-07-28T15:02:25-04:00       DEBUG   Ignore statuses statuses=[]
2025-07-28T15:02:25-04:00       DEBUG   DB update was skipped because the local DB is the latest
2025-07-28T15:02:25-04:00       DEBUG   DB info schema=2 updated_at=2025-07-28T12:29:10.146299032Z next_update=2025-07-29T12:29:10.146298781Z downloaded_at=2025-07-28T18:32:16.171428128Z
2025-07-28T15:02:25-04:00       DEBUG   [pkg] Package types     types=[os library]
2025-07-28T15:02:25-04:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-07-28T15:02:25-04:00       INFO    [vuln] Vulnerability scanning is enabled
2025-07-28T15:02:25-04:00       INFO    [secret] Secret scanning is enabled
2025-07-28T15:02:25-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-28T15:02:25-04:00       DEBUG   [notification] Running version check
2025-07-28T15:02:25-04:00       INFO    [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection
2025-07-28T15:02:25-04:00       DEBUG   Initializing scan cache...      type="fs"
2025-07-28T15:02:25-04:00       DEBUG   [notification] Version check completed  latest_version="0.64.1"
2025-07-28T15:02:26-04:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-28T15:02:26-04:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-28T15:02:26-04:00       DEBUG   [image] Detected image ID       image_id="sha256:e1be15e5336cd9623a0fdd20ccca189565db0d3b6edbddc5e7933dfdf0262157"
2025-07-28T15:02:26-04:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:9b7261696dcc876d42a4803f906d53b053c684654596b71183889df18a79d527 sha256:14c1dc5943c067b9d5e9e27c003ca4e79f717763f94056d2f63e01849f7bf5a7 sha256:a190071c1c72fb946162a2e0a4e916709d51f7b0f17ace2ec818271feb0ee7b4 sha256:59361b3806d7bce40fd2be9b1554f04a9c8e8db9a85488f29ff564035978f341 sha256:7f7140d2a11898e44b7b8a9fa16cdaeb26e6f7038b1acf2fe60b6fb9baa75695]
2025-07-28T15:02:26-04:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-07-28T15:02:26-04:00       INFO    Detected OS     family="debian" version="11.11"
2025-07-28T15:02:26-04:00       INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=99
2025-07-28T15:02:26-04:00       INFO    Number of language-specific files       num=2
2025-07-28T15:02:26-04:00       INFO    [dotnet-core] Detecting vulnerabilities...
2025-07-28T15:02:26-04:00       DEBUG   [dotnet-core] Scanning packages for vulnerabilities     file_path="usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.36/Microsoft.AspNetCore.App.deps.json"
2025-07-28T15:02:26-04:00       DEBUG   [dotnet-core] Scanning packages for vulnerabilities     file_path="usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.36/Microsoft.NETCore.App.deps.json"
2025-07-28T15:02:26-04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.64/docs/scanner/vulnerability#severity-selection for details.
2025-07-28T15:02:26-04:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-07-28T15:02:26-04:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬─────────────┬─────────────────┬─────────┐
│                                      Target                                      │    Type     │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ mcr.microsoft.com/dotnet/aspnet:6.0 (debian 11.11)                               │   debian    │       12        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.36/Microsoft.AspNetCore.Ap- │ dotnet-core │        1        │    -    │
│ p.deps.json                                                                      │             │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.36/Microsoft.NETCore.App.deps- │ dotnet-core │        0        │    -    │
│ .json                                                                            │             │                 │         │
└──────────────────────────────────────────────────────────────────────────────────┴─────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


mcr.microsoft.com/dotnet/aspnet:6.0 (debian 11.11)

Total: 12 (HIGH: 10, CRITICAL: 2)

┌────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────┬──────────────────┬────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │    Status    │    Installed Version    │  Fixed Version   │                           Title                            │
├────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ bash               │ CVE-2022-3715  │ HIGH     │ affected     │ 5.1-2+deb11u1           │                  │ bash: a heap-buffer-overflow in valid_parameter_transform  │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2022-3715                  │
├────────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libc-bin           │ CVE-2025-4802  │          │ fixed        │ 2.31-13+deb11u11        │ 2.31-13+deb11u13 │ glibc: static setuid binary dlopen may incorrectly search  │
│                    │                │          │              │                         │                  │ LD_LIBRARY_PATH                                            │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2025-4802                  │
├────────────────────┤                │          │              │                         │                  │                                                            │
│ libc6              │                │          │              │                         │                  │                                                            │
│                    │                │          │              │                         │                  │                                                            │
│                    │                │          │              │                         │                  │                                                            │
├────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libdb5.3           │ CVE-2019-8457  │ CRITICAL │ will_not_fix │ 5.3.28+dfsg1-0.8        │                  │ sqlite: heap out-of-bound read in function rtreenode()     │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2019-8457                  │
├────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libgcrypt20        │ CVE-2021-33560 │ HIGH     │ affected     │ 1.8.7-6                 │                  │ libgcrypt: mishandles ElGamal encryption because it lacks  │
│                    │                │          │              │                         │                  │ exponent blinding to address a...                          │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2021-33560                 │
├────────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libicu67           │ CVE-2025-5222  │          │ fixed        │ 67.1-7                  │ 67.1-7+deb11u1   │ icu: Stack buffer overflow in the SRBRoot::addTag function │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2025-5222                  │
├────────────────────┼────────────────┤          ├──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libpam-modules     │ CVE-2025-6020  │          │ affected     │ 1.4.0-9+deb11u1         │                  │ linux-pam: Linux-pam directory Traversal                   │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2025-6020                  │
├────────────────────┤                │          │              │                         ├──────────────────┤                                                            │
│ libpam-modules-bin │                │          │              │                         │                  │                                                            │
│                    │                │          │              │                         │                  │                                                            │
├────────────────────┤                │          │              │                         ├──────────────────┤                                                            │
│ libpam-runtime     │                │          │              │                         │                  │                                                            │
│                    │                │          │              │                         │                  │                                                            │
├────────────────────┤                │          │              │                         ├──────────────────┤                                                            │
│ libpam0g           │                │          │              │                         │                  │                                                            │
│                    │                │          │              │                         │                  │                                                            │
├────────────────────┼────────────────┤          │              ├─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ libzstd1           │ CVE-2022-4899  │          │              │ 1.4.8+dfsg-2.1          │                  │ zstd: mysql: buffer overrun in util.c                      │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2022-4899                  │
├────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────┼──────────────────┼────────────────────────────────────────────────────────────┤
│ zlib1g             │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.11.dfsg-2+deb11u2 │                  │ zlib: integer overflow and resultant heap-based buffer     │
│                    │                │          │              │                         │                  │ overflow in zipOpenNewFileInZip4_6                         │
│                    │                │          │              │                         │                  │ https://avd.aquasec.com/nvd/cve-2023-45853                 │
└────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────┴──────────────────┴────────────────────────────────────────────────────────────┘

usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.36/Microsoft.AspNetCore.App.deps.json (dotnet-core)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│                  Library                   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ Microsoft.AspNetCore.App.Runtime.linux-x64 │ CVE-2025-24070 │ HIGH     │ fixed  │ 6.0.36            │ 9.0.3, 8.0.14 │ dotnet: Privilege Escalation Vulnerability in .NET │
│                                            │                │          │        │                   │               │ SignInManager.RefreshSignInAsync Method            │
│                                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-24070         │
└────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

Operating System

Ubuntu 22.04

Version

Version: 0.64.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-28 12:29:10.146299032 +0000 UTC
  NextUpdate: 2025-07-29 12:29:10.146298781 +0000 UTC
  DownloadedAt: 2025-07-28 18:32:16.171428128 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @sirredbeard
Thanks for your report!

Trivy uses GitHub Advisory database for .Net packages - https://trivy.dev/latest/docs/scanner/vulnerability/#langpkg-data-sources
GHSA-jqfh-6jjg-67xg is currently unreviewed (advisory doesn't have affected packages/versions).

When GitHub updates this advisory, Trivy will be able to detect CVE-2025-7326.

Regards, Dmitriy

[sirredbeard]

Thank you for your response, @DmitriyLewen. We will get that updated.