Wrong fixed version for CVE-2025-55163 (grpc-netty-shaded) — Trivy shows 1.175.0 instead of 1.75.0

[o-shevchenko]

Description

Trivy reports the following vulnerability incorrectly:

• CVE: CVE-2025-55163
• Package: io.grpc:grpc-netty-shaded
• Installed: 1.75.0
• Fixed: 1.175.0 (reported by Trivy)

Problem: gRPC Java has no version 1.175.0. The highest release is 1.75.0.
So the fixed version should be 1.75.0.

Scan details:

• Trivy version: v0.xx.x
• Command: trivy image image:1.0.37-release-11.1
• Database updated: 2025-09-30

References:

• gRPC Java releases: https://github.com/grpc/grpc-java/releases

Desired Behavior

Fixed version 1.75.0

Actual Behavior

Fixed version 1.175.0

Reproduction Steps

Scan for an image with grpc-netty-shaded before 1.75.0

Target

Container Image

Scanner

None

Output Format

None

Mode

None

Debug Output

> trivy image --quiet --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db:2

> trivy image --quiet --download-java-db-only --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db:1

> trivy version

Version: dev

Vulnerability DB:

  Version: 2

  UpdatedAt: 2025-09-30 06:29:59.676553683 +0000 UTC

  NextUpdate: 2025-10-01 06:29:59.676553433 +0000 UTC

  DownloadedAt: 2025-09-30 09:47:10.521005307 +0000 UTC

Java DB:

  Version: 1

  UpdatedAt: 2025-09-30 00:55:21.026806572 +0000 UTC

  NextUpdate: 2025-10-03 00:55:21.026806251 +0000 UTC

  DownloadedAt: 2025-09-30 09:47:28.653523055 +0000 UTC





Running with args:

  image='image'

  chart=''

  source='/harness'

  severity='HIGH,CRITICAL,UNKNOWN'

  license_severity='MEDIUM,HIGH,CRITICAL,UNKNOWN'

  reports=reports

  templates=/templates

  ignore_policy=trivy-ignore.rego

  additional_license_paths=None

  override_scanners=None





Starting trivy license scan...

> trivy image --scanners license --license-full --debug --exit-code 42 --ignore-policy trivy-ignore.rego --severity 'MEDIUM,HIGH,CRITICAL,UNKNOWN' --timeout 10m -f json -o reports/trivy.license.image.json iamge...


Java (jar)

==========

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)



┌──────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐

│                         Library                          │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │

├──────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤

│ io.grpc:grpc-netty-shaded (grpc-netty-shaded-1.75.0.jar) │ CVE-2025-55163 │ HIGH     │ fixed  │ 1.75.0            │ 1.175.0       │ netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS │

│                                                          │                │          │        │                   │               │ Vulnerability                                            │

│                                                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-55163               │

└──────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

> trivy convert reports/trivy.full.fs.json -f template --template @/templates/junit.tpl -o reports/trivy.junit.fs.xml

> trivy convert reports/trivy.full.fs.json -f template --template @/templates/html.tpl -o reports/trivy.fs.html

> trivy convert reports/trivy.full.fs.json -f template --template @/templates/csv.tpl -o reports/trivy.fs.csv

> trivy convert reports/trivy.full.fs.json -f cyclonedx --output reports/trivy.cyclonedx.fs.json

2025-09-30T09:47:38Z	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.

> trivy convert reports/trivy.full.fs.json -f table

2025-09-30T09:47:38Z	INFO	[convert] To display the summary table, enable the scanners used during JSON report generation.



Trivy failed. These commands had findings:



trivy image --scanners vuln,secret,misconfig --debug --exit-code 42 --ignore-policy trivy-ignore.rego --severity 'HIGH,CRITICAL,UNKNOWN' --timeout 10m -f json -o reports/trivy.vuln.image.json image

Number of cases parsed in each file: map[reports/trivy.junit.fs.xml:0 reports/trivy.junit.image.xml:1]
parsed 1 test cases
Successfully collected test reports in 82.5046ms time

Operating System

RedHat

Version

0.66.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knon]

Got the same issue in our Trivy stage of pipeline.

Please help to fix it, thank you!

[knqyf263]

I believe it's been fixed now as the data source Trivy uses updated their advisory.
https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/commit/2f321b1269d35f9aad385ecc1f30f8699158cd19

[DmitriyLewen]

duplicate of #9555