Multiple CVEs reported in Trivy 0.67.2 - are any exploitable?

[candrews]

Question

Trivy reports multiple CVEs (including high and critical ones) when scanning itself.

Are any of these exploitable / cause for concern?

$ trivy image -q docker.io/aquasec/trivy:0.67.2

Report Summary

┌────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                     Target                     │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ docker.io/aquasec/trivy:0.67.2 (alpine 3.22.1) │  alpine  │        7        │    -    │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/trivy                            │ gobinary │        6        │    -    │
└────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


docker.io/aquasec/trivy:0.67.2 (alpine 3.22.1)

Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 0, CRITICAL: 1)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2025-9230  │ MEDIUM   │ fixed  │ 3.5.1-r0          │ 3.5.4-r0      │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9230                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9231  │          │        │                   │               │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9231                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9232  │ LOW      │        │                   │               │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9232                    │
├────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2025-9230  │ MEDIUM   │        │                   │               │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9230                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9231  │          │        │                   │               │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9231                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9232  │ LOW      │        │                   │               │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9232                    │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ pcre2      │ CVE-2025-58050 │ CRITICAL │        │ 10.43-r1          │ 10.46-r0      │ pcre2: PCRE2: heap-buffer-overflow read in match_ref due to  │
│            │                │          │        │                   │               │ missing boundary restoration in...                           │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-58050                   │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/trivy (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                            Title                             │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd    │ CVE-2024-25621 │ HIGH     │ fixed  │ v1.7.28           │ 1.7.29              │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 0.1.0 through ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2024-25621                   │
│                                     ├────────────────┼──────────┤        │                   │                     ├──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-64329 │ MEDIUM   │        │                   │                     │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 1.7.28 and be ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-64329                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd/v2 │ CVE-2024-25621 │ HIGH     │        │ v2.1.4            │ 2.0.7, 2.1.5, 2.2.0 │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 0.1.0 through ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2024-25621                   │
│                                     ├────────────────┼──────────┤        │                   │                     ├──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2025-64329 │ MEDIUM   │        │                   │                     │ containerd is an open-source container runtime. Versions     │
│                                     │                │          │        │                   │                     │ 1.7.28 and be ...                                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-64329                   │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/selinux   │ CVE-2025-52881 │ HIGH     │        │ v1.12.0           │ 1.13.0              │ runc: opencontainers/selinux: container escape and denial of │
│                                     │                │          │        │                   │                     │ service due to arbitrary write...                            │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-52881                   │
├─────────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-58187 │          │        │ v1.25.2           │ 1.24.9, 1.25.3      │ Due to the design of the name constraint checking algorithm, │
│                                     │                │          │        │                   │                     │ the proce...                                                 │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2025-58187                   │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────────┘

In any case, I look forward to the next release of Trivy (which I believe should be soon, since the last release was 5 weeks ago).

Thank you in advance!

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

Linux

Version

$ trivy --version
Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-17 18:27:28.229381717 +0000 UTC
  NextUpdate: 2025-11-18 18:27:28.229381477 +0000 UTC
  DownloadedAt: 2025-11-17 20:05:50.946470648 +0000 UTC

[DmitriyLewen]

Hello @candrews
Thanks for your report!

Are any of these exploitable / cause for concern?

I’ve looked into the vulnerabilities and I don’t think they should be a major concern for you.
If you’re only running Trivy as a binary inside a container and your runtimes and hosts are up to date, there shouldn’t be any serious issues.

However, you should understand that everything depends on your usage scenarios, attack vectors, etc., so you shouldn’t treat my words as a guarantee that you’re 100% safe.

Some of these vulnerabilities have already been fixed:

➜  trivy image -q docker.io/aquasec/trivy:canary


docker.io/aquasec/trivy:canary (alpine 3.22.1)

Total: 6 (UNKNOWN: 0, LOW: 2, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2025-9230 │ MEDIUM   │ fixed  │ 3.5.1-r0          │ 3.5.4-r0      │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap   │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9230                    │
│            ├───────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9231 │          │        │                   │               │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM  │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9231                    │
│            ├───────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9232 │ LOW      │        │                   │               │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9232                    │
├────────────┼───────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2025-9230 │ MEDIUM   │        │                   │               │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap   │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9230                    │
│            ├───────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9231 │          │        │                   │               │ openssl: Timing side-channel in SM2 algorithm on 64 bit ARM  │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9231                    │
│            ├───────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-9232 │ LOW      │        │                   │               │ openssl: Out-of-bounds read in HTTP client no_proxy handling │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-9232                    │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2024-25621 │ HIGH     │ fixed  │ v1.7.28           │ 1.7.29        │ containerd is an open-source container runtime. Versions │
│                                  │                │          │        │                   │               │ 0.1.0 through ...                                        │
│                                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25621               │
│                                  ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────┤
│                                  │ CVE-2025-64329 │ MEDIUM   │        │                   │               │ containerd is an open-source container runtime. Versions │
│                                  │                │          │        │                   │               │ 1.7.28 and be ...                                        │
│                                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-64329               │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

We will update the container images and the Alpine version before the next release.

Regards, Dmitriy