mssql-jdbc - potential false positive on CVE-2025-59250 with mssql-jdbc 12.2.1.jre11

[concreted]

IDs

CVE-2025-59250

Description

Trivy reported CVE-2025-59250 on my image containing a jar with the following dependency:

<dependency>
            <groupId>com.microsoft.sqlserver</groupId>
            <artifactId>mssql-jdbc</artifactId>
            <version>12.2.0.jre11</version>
</dependency>

This is what Trivy reported:

Java (jar)
==========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                    │                          Title                           │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed  │ 12.2.0.jre11      │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation │
│                                              │                │          │        │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                    │
│                                              │                │          │        │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250               │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘

According to https://avd.aquasec.com/nvd/2025/cve-2025-59250/, 12.2.1 should not be affected by this CVE. However when I updated to 12.2.1.jre11, Trivy still reports the same CVE:

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                    │                          Title                           │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed  │ 12.2.1            │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation │
│                                              │                │          │        │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                    │
│                                              │                │          │        │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250               │
└─────────────────────────────

I see that the Fixed Version list includes .jre8 versions for the fixed versions, but not .jre11. I am wondering if this is a false detection due to .jre11 not being included in fixed versions (or maybe that the Installed version 12.2.1 doesn't match the fix version 12.2.1.jre8).

The Github advisory for this CVE GHSA-m494-w24q-6f7w only lists the .jre8 versions, so maybe this is a problem on that side? I am curious how 12.2.0.jre11 is detected as having a CVE though, because .jre11 is not listed as affected in the Github advisory.

Reproduction Steps

1. Build a Docker image containing a Java JAR with following dependency in `pom.xml`:

<dependency>
            <groupId>com.microsoft.sqlserver</groupId>
            <artifactId>mssql-jdbc</artifactId>
            <version>12.2.1.jre11</version>
</dependency>

2. Run trivy image <tag> on the resulting image

### Target

Container Image

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
2025-11-04T00:34:53Z    DEBUG   No plugins loaded
2025-11-04T00:34:53Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-11-04T00:34:53Z    DEBUG   Cache dir       dir="/home/aric/.cache/trivy"
2025-11-04T00:34:53Z    DEBUG   Cache dir       dir="/home/aric/.cache/trivy"
2025-11-04T00:34:53Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-11-04T00:34:53Z    DEBUG   Ignore statuses statuses=[]
2025-11-04T00:34:53Z    DEBUG   DB update was skipped because the local DB is the latest
2025-11-04T00:34:53Z    DEBUG   DB info schema=2 updated_at=2025-11-03T18:29:56.15291186Z next_update=2025-11-04T18:29:56.152911559Z downloaded_at=2025-11-04T00:06:39.176068486Z
2025-11-04T00:34:53Z    DEBUG   [pkg] Package types     types=[os library]
2025-11-04T00:34:53Z    DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2025-11-04T00:34:53Z    INFO    [vuln] Vulnerability scanning is enabled
2025-11-04T00:34:53Z    INFO    [secret] Secret scanning is enabled
2025-11-04T00:34:53Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-11-04T00:34:53Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2025-11-04T00:34:53Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-11-04T00:34:53Z    DEBUG   Initializing scan cache...      type="fs"
2025-11-04T00:34:53Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-11-04T00:34:53Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-11-04T00:34:53Z    DEBUG   [image] Detected image ID       image_id="sha256:4da1240ede7b509360ebab0da37d1e0c7e2e84db7d0c171378909674ed955002"
2025-11-04T00:34:53Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85 sha256:01d3f5d5a6c9da3fd6eac9064dae0c1bb3e20d25d5df871344931ca2db309c6c sha256:13407d63b6505a686df5cba2224433b4123971902b00df55ae31b27961869b2f sha256:44a76360121e6507021403c138354deb331a6f87caa6be323239cdde81537619 sha256:71e8cc6fa9c8eca4fa7e6cc1297c8233b6c6e26ff0af4a516dc0ae568eaa6294 sha256:fb46bf2f7529e5bd4dc68bf7f9842942e8f89874c81f0f8db2abb98e6a551772 sha256:2e6b5a9cfa33c7761e8ee8971badcb3f6376f5ad11aa4eeec609ada7582b19f0 sha256:b56336affa1af88a3cb2d0bcd7e9a38c74f8c48626cc61c4d69d3c67c29ebaec]
2025-11-04T00:34:53Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85]
2025-11-04T00:34:53Z    INFO    Detected OS     family="alpine" version="3.20.3"
2025-11-04T00:34:53Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=43
2025-11-04T00:34:53Z    INFO    Number of language-specific files       num=1
2025-11-04T00:34:53Z    INFO    [jar] Detecting vulnerabilities...
2025-11-04T00:34:53Z    DEBUG   [jar] Scanning packages for vulnerabilities     file_path=""
2025-11-04T00:34:53Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.
2025-11-04T00:34:53Z    DEBUG   [vex] VEX filtering is disabled

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                    │                          Title                           │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed  │ 12.2.1            │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation │
│                                              │                │          │        │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                    │
│                                              │                │          │        │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250               │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘

### Version

```bash
Version: 0.55.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-03 18:29:56.15291186 +0000 UTC
  NextUpdate: 2025-11-04 18:29:56.152911559 +0000 UTC
  DownloadedAt: 2025-11-04 00:06:39.176068486 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-03 00:57:09.75254039 +0000 UTC
  NextUpdate: 2025-11-06 00:57:09.752539859 +0000 UTC
  DownloadedAt: 2025-11-04 00:07:11.462725722 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[sys-ops]

The latest version of trivy does not solve the problem either:

Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-04 12:31:56.737942931 +0000 UTC
  NextUpdate: 2025-11-05 12:31:56.73794266 +0000 UTC
  DownloadedAt: 2025-11-05 08:07:55.068137375 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-05 00:56:32.917314448 +0000 UTC
  NextUpdate: 2025-11-08 00:56:32.917314318 +0000 UTC
  DownloadedAt: 2025-11-05 08:17:43.305192815 +0000 UTC

┌──────────────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │  Status  │ Installed Version │                    Fixed Version                    │                            Title                             │
├──────────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.microsoft.sqlserver:mssql-jdbc (app.jar) │ CVE-2025-59250 │ HIGH     │ fixed    │ 12.10.2           │ 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.6.5.jre8, │ JDBC Driver for SQL Server has improper input validation     │
│                                              │                │          │          │                   │ 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8              │ issue                                                        │
│                                              │                │          │          │                   │                                                     │ https://avd.aquasec.com/nvd/cve-2025-59250                   │
├──────────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤

[DmitriyLewen]

Hello @concreted
Thanks for your report!

We use GitHub database for java vulnerabilities - https://trivy.dev/latest/docs/scanner/vulnerability/#langpkg-data-sources
GHSA-m494-w24q-6f7w uses >= 12.2.0.jre8, < 12.2.1.jre8 vulnerable range https://github.com/github/advisory-database/blob/ef0209a2510641de7b65556cfbbdbdfdb2a1a326/advisories/github-reviewed/2025/10/GHSA-m494-w24q-6f7w/GHSA-m494-w24q-6f7w.json#L66-L69

12.2.1 < 12.2.1.jre8:

➜  java -jar ~/.m2/repository/org/apache/maven/maven-artifact/3.9.11/maven-artifact-3.9.11.jar "12.2.1"  "12.2.1.jre8" 
Display parameters as parsed by Maven (in canonical form and as a list of tokens) and comparison result:
1. 12.2.1 -> 12.2.1; tokens: [12, 2, 1]
   12.2.1 < 12.2.1.jre8
2. 12.2.1.jre8 -> 12.2.1-jre-8; tokens: [12, 2, 1, [jre, [8]]]

That is why Trivy shows this vulnerability for 12.2.1 version.

Regards, Dmitriy

[sys-ops]

@DmitriyLewen

2025-11-05T09:26:20+01:00 DEBUG [jar] Parsing Java artifacts... file_path="app.jar/BOOT-INF/lib/mssql-jdbc-12.10.2.jre8.jar"

I have installed 12.10.2.jre8, yet trivy says that the installed version is 12.10.2 and tells me to install 12.10.2.jre8 version which is a Fixed Version.

Is there anything I can do so trivy does not report this vulnerability since I have the fixed version installed?

[DmitriyLewen]

It’s possible that one of the files inside the JAR contains metadata indicating version 12.10.2.
If you’re sure there’s no vulnerability, you can use one of Trivy’s filtering options — https://trivy.dev/latest/docs/configuration/filtering/ — for example, a VEX file.

[jakub-czajkowski]

Sounds about right - Manifest files in mssql-jdbc jars are showing version without jre suffix, f.ex. just "12.10.2", while the jar itself and maven version has those suffixes.
Are there any chances for general fix or workaround, other than filtering/exclusions? It's clearly false positive, caused by some mix-up between way of versioning by Microsoft, and vulnerabilities database.

[DmitriyLewen]

In fact, this is an error in how the JAR was built and should be fixed on the vendor’s side.
Besides filtering, you could write a custom module to handle this case, but that would still be essentially the same as filtering.

There are no other options in Trivy.

[rutuja120190]

Anyone got solution to this?