Typo in fixed version for io.grpc:grpc-netty-shaded (CVE-2025-55163)

[mansguiche]

IDs

CVE-2025-55163

Description

Not sure if False detection is the right category for this, sorry if it is not. Feel free to move it.

When scanning a Java project that depends on io.grpc:grpc-netty-shaded, Trivy reports the following for CVE-2025-55163:

Package: io.grpc:grpc-netty-shaded
Vulnerability ID: CVE-2025-55163
Fixed Version: 1.175.0

However, 1.175.0 does not exist in Maven Central or gRPC’s release history. The latest version available is 1.75.0.

(Maven Central: io.grpc:grpc-netty-shaded)[https://search.maven.org/artifact/io.grpc/grpc-netty-shaded]
→ latest is 1.75.0.

gRPC Java 1.75.0 release notes
→ upgrades Netty to 4.1.124.Final, which fixes CVE-2025-55163.

Netty advisory
→ fixed in Netty 4.1.124.Final / 4.2.4.Final.

So the correct “fixed version” for this package should be: io.grpc:grpc-netty-shaded:1.75.0

Reproduction Steps

Create a minimal Maven or Gradle project with the following dependency:

Maven (pom.xml):

<dependency>
  <groupId>io.grpc</groupId>
  <artifactId>grpc-netty-shaded</artifactId>
  <version>1.75.0</version>
</dependency>


Gradle (build.gradle):

implementation "io.grpc:grpc-netty-shaded:1.75.0"


Run a Trivy filesystem or SBOM scan:

trivy fs .  


or

trivy sbom --format cyclonedx ./build.gradle > sbom.json
trivy sbom sbom.json


Observe the scan output. Trivy flags CVE-2025-55163 with:

Package: io.grpc:grpc-netty-shaded
Vulnerability ID: CVE-2025-55163
Installed Version: 1.75.0
Fixed Version: 1.175.0


Verify that 1.175.0 does not exist in Maven Central, while 1.75.0 is the actual fixed version.

Target

Container Image

Scanner

Vulnerability

Target OS

ubuntu lts 22.04

Debug Output

n/a

Version

Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-30 06:29:59.676553683 +0000 UTC
  NextUpdate: 2025-10-01 06:29:59.676553433 +0000 UTC
  DownloadedAt: 2025-09-30 10:54:44.624392403 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-09-30 00:55:21.026806572 +0000 UTC
  NextUpdate: 2025-10-03 00:55:21.026806251 +0000 UTC
  DownloadedAt: 2025-09-30 10:55:16.139292489 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @mansguiche
GitHub updated this advisory 13 hours ago.
Trivy DB now contains the correct fixed version.

Can you re-download Trivy DB and check again?

Regards, Dmitriy

[mansguiche]

Thank you. I can confirm that I am no longer seeing the vuln warning on a scan of v1.75.0