CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

tjanowski · 2025-04-08T15:17:55Z

tjanowski
Apr 8, 2025

IDs

CVE-2025-1974

Description

According to GHSA-mgvx-rpfc-9mpv and kubernetes/kubernetes#131009 ingress-nginx controller v.1.12.0 contains a critical vulnerability CVE-2025-1974.
This is also present in the aqua vulnerability database https://avd.aquasec.com/nvd/2025/cve-2025-1974/

However the vulnerability is not found when the container is scanned with trivy.

Reproduction Steps

1. Run

docker run aquasec/trivy image registry.k8s.io/ingress-nginx/controller:v1.12.0

CVE-2025-1974 is not present in the output



### Target

Container Image

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
2025-04-08T15:00:23Z    DEBUG   No plugins loaded
2025-04-08T15:00:23Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-08T15:00:23Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-04-08T15:00:23Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-04-08T15:00:23Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-08T15:00:23Z    DEBUG   Ignore statuses statuses=[]
2025-04-08T15:00:23Z    DEBUG   [vulndb] There is no db file
2025-04-08T15:00:23Z    DEBUG   [vulndb] There is no valid metadata file        err="file open error: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2025-04-08T15:00:23Z    INFO    [vulndb] Need to update DB
2025-04-08T15:00:23Z    DEBUG   [vulndb] No metadata file
2025-04-08T15:00:23Z    INFO    [vulndb] Downloading vulnerability DB...
2025-04-08T15:00:23Z    INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-04-08T15:01:08Z    DEBUG   Updating database metadata...
2025-04-08T15:01:08Z    DEBUG   DB info schema=2 updated_at=2025-04-08T12:18:56.989857786Z next_update=2025-04-09T12:18:56.989857585Z downloaded_at=2025-04-08T15:01:08.43499204Z
2025-04-08T15:01:08Z    DEBUG   [pkg] Package types     types=[os library]
2025-04-08T15:01:08Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-04-08T15:01:08Z    INFO    [vuln] Vulnerability scanning is enabled
2025-04-08T15:01:08Z    INFO    [secret] Secret scanning is enabled
2025-04-08T15:01:08Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-08T15:01:08Z    INFO    [secret] Please see also https://trivy.dev/v0.60/docs/scanner/secret#recommendation for faster secret detection
2025-04-08T15:01:08Z    DEBUG   Initializing scan cache...      type="fs"
2025-04-08T15:01:09Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-04-08T15:01:09Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-04-08T15:01:09Z    DEBUG   [image] Detected image ID       image_id="sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7"
2025-04-08T15:01:09Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef sha256:69a0f44fead2721366699e2a4409e9611b3af401909037
e2758d3cc73238107a sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5 sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b sha256:5f70bf18a086007016e948b04aed3
b82103a36bea41755b6cddfaf10ace3c6ef sha256:be69a5ad470e8e67ea93f13aa825e40cf1e1d2104609e2e7c2a6c8a306e0e8df sha256:165f2a3e4312848b623a3aaec5678a38d698ceab5d717714b7d64d8e1f4fcd77 sha256:6d134d3d7e8aa630874f7c4e9db3db48d1895c60f3e5ce73272412404a9b723b sha256:d37a3e42d123
ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661 sha256:2874b9cc5af111c3a09857a37589ca899ee15c30690be9bff7ad7c634ea96c41 sha256:c41a4417ce6560b28e5d3f0450fcbdd75a40b671a4a6114e82ea50cdb7f911ed sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2 sh
a256:6e436531de71f1ce67445886252520916b302d8dd3beda5f881ecd1696c48c6e]
2025-04-08T15:01:09Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef sha256:69a0f44fead2721366699e2a4409e9611b3af401909037
e2758d3cc73238107a sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5 sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b]
2025-04-08T15:01:09Z    DEBUG   [image] Missing image ID in cache       image_id="sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:69a0f44fead2721366699e2a4409e9611b3af401909037e2758d3cc73238107a"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b"
2025-04-08T15:01:11Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2025-04-08T15:01:12Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:be69a5ad470e8e67ea93f13aa825e40cf1e1d2104609e2e7c2a6c8a306e0e8df"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:165f2a3e4312848b623a3aaec5678a38d698ceab5d717714b7d64d8e1f4fcd77"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:6d134d3d7e8aa630874f7c4e9db3db48d1895c60f3e5ce73272412404a9b723b"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d37a3e42d123ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661"
2025-04-08T15:01:17Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:2874b9cc5af111c3a09857a37589ca899ee15c30690be9bff7ad7c634ea96c41"
2025-04-08T15:01:19Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:19Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:19Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:19Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:c41a4417ce6560b28e5d3f0450fcbdd75a40b671a4a6114e82ea50cdb7f911ed"
2025-04-08T15:01:20Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2"
2025-04-08T15:01:20Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:20Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:20Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:20Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:6e436531de71f1ce67445886252520916b302d8dd3beda5f881ecd1696c48c6e"
2025-04-08T15:01:37Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:37Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:37Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:43Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:43Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:43Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   No secrets found in container image config
2025-04-08T15:01:54Z    INFO    Detected OS     family="alpine" version="3.21.0"
2025-04-08T15:01:54Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=120
2025-04-08T15:01:54Z    INFO    Number of language-specific files       num=3
2025-04-08T15:01:54Z    INFO    [gobinary] Detecting vulnerabilities...
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="dbg"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="nginx-ingress-controller"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="wait-shutdown"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.60/docs/scanner/vulnerability#severity-selection for details.
2025-04-08T15:01:54Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-04-08T15:01:54Z    DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                              Target                              │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ registry.k8s.io/ingress-nginx/controller:v1.12.0 (alpine 3.21.0) │  alpine  │       18        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dbg                                                              │ gobinary │        3        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ nginx-ingress-controller                                         │ gobinary │        4        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ wait-shutdown                                                    │ gobinary │        3        │    -    │
└──────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


registry.k8s.io/ingress-nginx/controller:v1.12.0 (alpine 3.21.0)
================================================================
Total: 18 (UNKNOWN: 2, LOW: 4, MEDIUM: 5, HIGH: 7, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl       │ CVE-2025-0725  │ MEDIUM   │ fixed  │ 8.11.1-r0         │ 8.12.0-r0     │ libcurl: Buffer Overflow in libcurl via zlib Integer         │
│            │                │          │        │                   │               │ Overflow                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0725                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0167  │ LOW      │        │                   │               │ When asked to use a `.netrc` file for credentials **and** to │
│            │                │          │        │                   │               │ follow...                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0167                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0665  │          │        │                   │               │ libcurl would wrongly close the same eventfd file descriptor │
│            │                │          │        │                   │               │ twice whe ......                                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0665                    │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl    │ CVE-2025-0725  │          │        │ 8.11.1-r0         │ 8.12.0-r0     │ libcurl: Buffer Overflow in libcurl via zlib Integer         │
│            │                │          │        │                   │               │ Overflow                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0725                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0167  │ LOW      │        │                   │               │ When asked to use a `.netrc` file for credentials **and** to │
│            │                │          │        │                   │               │ follow...                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0167                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0665  │          │        │                   │               │ libcurl would wrongly close the same eventfd file descriptor │
│            │                │          │        │                   │               │ twice whe ......                                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0665                    │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2    │ CVE-2024-56171 │ HIGH     │        │ 2.13.4-r3         │ 2.13.4-r4     │ libxml2: Use-After-Free in libxml2                           │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-56171                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-24928 │          │        │                   │               │ libxml2: Stack-based buffer overflow in xmlSnprintfElements  │
│            │                │          │        │                   │               │ of libxml2                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-24928                   │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-27113 │          │        │                   │ 2.13.4-r5     │ libxml2: NULL Pointer Dereference in libxml2 xmlPatMatch     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27113                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r8          │ 1.2.5-r9      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an           │
│            │                │          │        │                   │               │ out-of-bounds write ......                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                   │
├────────────┤                │          │        │                   │               │                                                              │
│ musl-utils │                │          │        │                   │               │                                                              │
│            │                │          │        │                   │               │                                                              │
│            │                │          │        │                   │               │                                                              │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ openssl    │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs    │ CVE-2025-31115 │ HIGH     │        │ 5.6.3-r0          │ 5.6.3-r1      │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-31115                   │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

dbg (gobinary)
==============
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

nginx-ingress-controller (gobinary)
===================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.33.0           │ 0.36.0                       │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                  │                │          │        │                   │                              │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
├──────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-45336 │          │        │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                  │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                  ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                  │                │          │        │                   │                              │ bypass URI name...                                           │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                  │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

wait-shutdown (gobinary)
========================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.60.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

itaysk · 2025-04-08T18:45:23Z

itaysk
Apr 8, 2025
Maintainer

the nginx-ingress-controller binary is missing version information:

go version -m ./nginx-ingress-controller 
./nginx-ingress-controller: go1.22.4
	path	k8s.io/ingress-nginx/cmd/nginx
	mod	k8s.io/ingress-nginx	(devel)

this might be resolved if/when k8s team use go1.24 to build their binaries which "sets the main module’s version in the compiled binary based on the version control system tag and/or commit".
Trivy can also detect this vulnerability by directly scanning your cluster, and not relying on container image scanning at all, as demonstrated in the blog post: https://www.aquasec.com/blog/ingress-nginx-vulnerabilities-what-you-need-to-know/#section-6

4 replies

tjanowski Apr 9, 2025
Author

Thank you, that's very helpful. We were quite concerned about having missed a critical vulnerability, but it seems like k8s cluster scanning is the way to go.

Percivalll Apr 17, 2025

the nginx-ingress-controller binary is missing version information:
go version -m ./nginx-ingress-controller 
./nginx-ingress-controller: go1.22.4
	path	k8s.io/ingress-nginx/cmd/nginx
	mod	k8s.io/ingress-nginx	(devel)	
this might be resolved if/when k8s team use go1.24 to build their binaries which "sets the main module’s version in the compiled binary based on the version control system tag and/or commit". Trivy can also detect this vulnerability by directly scanning your cluster, and not relying on container image scanning at all, as demonstrated in the blog post: https://www.aquasec.com/blog/ingress-nginx-vulnerabilities-what-you-need-to-know/#section-6

But I found that grype $ grype registry.k8s.io/ingress- ✔ Parsed image ✔ Cataloged contents ├── ✔ Packages ├── ✔ File digests ├── ✔ File metadata └── ✔ Executables ✔ Scanned for vulnerabilities ├── by severity: └── by status: NAME INSTALLED FIXED-IN c-ares 1.34.3-r0 1.34.5-r0 curl 8.11.1-r0 8.12.0-r0 curl 8.11.1-r0 8.12.0-r0 curl 8.11.1-r0 8.12.0-r0 golang.org/x/net v0.33.0 0.36.0 golang.org/x/net v0.33.0 0.38.0 grpc 1.62.1-r2 grpc-cpp 1.62.1-r2 k8s.io/ingress-nginx v1.12.0 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 libaddress_sorting 1.62.1-r2 libcrypto3 3.3.2-r4 3.3.3-r0 libcrypto3 3.3.2-r4 3.3.2-r5 libcurl 8.11.1-r0 8.12.0-r0 libcurl 8.11.1-r0 8.12.0-r0 libcurl 8.11.1-r0 8.12.0-r0 libgpr 1.62.1-r2 libgrpc 1.62.1-r2 libgrpc_unsecure 1.62.1-r2 libssl3 3.3.2-r4 3.3.3-r0 libssl3 3.3.2-r4 3.3.2-r5 libupb_base_lib 1.62.1-r2 libupb_json_lib 1.62.1-r2 libupb_mem_lib 1.62.1-r2 libupb_message_lib 1.62.1-r2 libupb_textformat_lib 1.62.1-r2 libxml2 2.13.4-r3 2.13.4-r4 libxml2 2.13.4-r3 2.13.4-r4 libxml2 2.13.4-r3 2.13.4-r5 musl 1.2.5-r8 1.2.5-r9 musl-utils 1.2.5-r8 1.2.5-r9 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 nginx 1.25.5 openssl 3.3.2-r4 3.3.3-r0 openssl 3.3.2-r4 3.3.2-r5 stdlib go1.23.4 stdlib go1.23.4 stdlib go1.23.4 stdlib go1.23.4 xz-libs 5.6.3-r0 5.6.3-r1 detectes this vulnerability:
nginx/controller:v1.12.0
sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7
5c06930ada97e5df24a3ec60c55723acf78d3177086922ba6352b4f863a39649
[217 packages]
[783 files]
[783 locations]
[214 executables]
[55 vulnerability matches]
3 critical, 12 high, 35 medium, 2 low, 0 negligible (3 unknown)
44 fixed, 11 not-fixed, 0 ignored
TYPE VULNERABILITY SEVERITY
apk CVE-2025-31498 High
apk CVE-2025-0665 Critical
apk CVE-2025-0725 High
apk CVE-2025-0167 Low
go-module GHSA-qxp5-gwg8-xv66 Medium
go-module GHSA-vvgc-356p-c3xw Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
1.12.1 go-module GHSA-mgvx-rpfc-9mpv Critical
go-module GHSA-823x-fv5p-h7hw High
go-module GHSA-fwwp-xcxw-39vq High
go-module GHSA-vg63-w3p9-jc9m High
go-module GHSA-242m-6h72-7hgp Medium
apk CVE-2024-7246 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
apk CVE-2025-0665 Critical
apk CVE-2025-0725 High
apk CVE-2025-0167 Low
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-56171 High
apk CVE-2025-24928 High
apk CVE-2025-27113 High
apk CVE-2025-26519 High
apk CVE-2025-26519 High
binary CVE-2024-31079 Medium
binary CVE-2024-32760 Medium
binary CVE-2024-34161 Medium
binary CVE-2024-35200 Medium
1.26.2, 1.27.1 binary CVE-2024-7347 Medium
1.26.3, 1.27.4 binary CVE-2025-23419 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
1.22.11, 1.23.5, 1.24.0-rc.2 go-module CVE-2024-45336 Medium
1.22.11, 1.23.5, 1.24.0-rc.2 go-module CVE-2024-45341 Medium
1.22.12, 1.23.6, 1.24.0-rc.3 go-module CVE-2025-22866 Medium
1.23.8, 1.24.2 go-module CVE-2025-22871 Unknown
apk CVE-2025-31115 High

Is there potential for Trivy to improve further in detecting similar vulnerabilities?

Percivalll Apr 17, 2025

syft's outpout:

{
            "id": "912e3b23998ff8f1",
            "name": "k8s.io/ingress-nginx",
            "version": "v1.12.0",
            "type": "go-module",
            "foundBy": "go-module-binary-cataloger",
            "locations": [
                {
                    "path": "/nginx-ingress-controller",
                    "layerID": "sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2",
                    "accessPath": "/nginx-ingress-controller",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ],
            "licenses": [],
            "language": "go",
            "cpes": [],
            "purl": "pkg:golang/k8s.io/[email protected]",
            "metadataType": "go-module-buildinfo-entry",
            "metadata": {
                "goBuildSettings": [
                    {
                        "key": "-buildmode",
                        "value": "exe"
                    },
                    {
                        "key": "-compiler",
                        "value": "gc"
                    },
                    {
                        "key": "-trimpath",
                        "value": "true"
                    },
                    {
                        "key": "CGO_ENABLED",
                        "value": "0"
                    },
                    {
                        "key": "GOARCH",
                        "value": "amd64"
                    },
                    {
                        "key": "GOOS",
                        "value": "linux"
                    },
                    {
                        "key": "GOAMD64",
                        "value": "v1"
                    }
                ],
                "goCompiledVersion": "go1.23.4",
                "architecture": "amd64",
                "mainModule": "k8s.io/ingress-nginx"
            }
        }

knqyf263 Apr 17, 2025
Maintainer

Since we're not a Syft maintainer, we don't know how they detect it. This process may be relevant, though.
https://github.com/anchore/syft/blob/b13ffdd30466827a9444f272ae28dab7968f4f40/syft/pkg/cataloger/golang/parse_go_binary.go#L258-L270

$ perl -0777 -lne 'while(/[\x00\x{FFFD}]?(?:\.L)?(v?\d+\.\d+\.\d+(?:[-\w]*[+\w]*))(?=\x00)/g){ print "$1\n" }' ./nginx-ingress-controller | head -n 1
v1.12.0

However, I'm not sure how accurate it is.

$ perl -0777 -lne 'while(/[\x00\x{FFFD}]?(?:\.L)?(v?\d+\.\d+\.\d+(?:[-\w]*[+\w]*))(?=\x00)/g){ print "$1\n" }' ./trivy | head -n 1
0.0.1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

tjanowski Apr 8, 2025

IDs

Description

Reproduction Steps

Version

Checklist

Replies: 1 comment · 4 replies

itaysk Apr 8, 2025 Maintainer

tjanowski Apr 9, 2025 Author

Percivalll Apr 17, 2025

Percivalll Apr 17, 2025

knqyf263 Apr 17, 2025 Maintainer

tjanowski
Apr 8, 2025

Replies: 1 comment 4 replies

itaysk
Apr 8, 2025
Maintainer

tjanowski Apr 9, 2025
Author

knqyf263 Apr 17, 2025
Maintainer