CVEs are active again

[WolverMinion]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.42.0

Storage Type

etcd

Installation Type

Official container image

Expected Behavior

The image does not show any CVEs that have already been fixed when scanned with a vulnerability scanner.

Actual Behavior

The vulnerability scanner shows the following CVEs again.

usr/local/bin/dex (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 3)

┌───────────────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250219130842-7d1a7473c8a0+dirty │ 2.27.0 │ Critical security issues in XML encoding in │
│ │ │ │ │ │ │ github.com/dexidp/dex │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │
├───────────────────────────────┼────────────────┼──────────┤ ├──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ │ v4.0.4 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┤ │ ├──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ │ │ v0.35.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
└───────────────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/docker-entrypoint (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)

┌───────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250219130842-7d1a7473c8a0+dirty │ 2.27.0 │ Critical security issues in XML encoding in │
│ │ │ │ │ │ │ github.com/dexidp/dex
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │
└───────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/gomplate (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ fixed │ v4.0.2 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5 │ CVE-2025-30204 │ HIGH │ │ v5.2.1 │ 5.2.2 │ golang-jwt/jwt: jwt-go allows excessive memory allocation │
│ │ │ │ │ │ │ during header parsing
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-30204 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.32.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-45336 │ │ │ v1.23.4 │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name...
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

Steps To Reproduce

1. run trivy image dexidp/dex:v2.42.0
2. see the report

Additional Information

the provided version of the cli is strange

• github.com/dexidp/dex:v0.0.0-20250219130842-7d1a7473c8a0+dirty

Configuration

Logs

[WolverMinion]

Your new version 2.42.1 does not fix the problem.
Could it be due to your versioning of the cli?
0.0.0-20250414234518-4c3e83b90135

[sagikazarmark]

What trivy version do you use? I tried the latest and it reports the dex version correctly

[MoeBensu]

@sagikazarmark When running i.e. trivy image -v dexidp/dex:latest-alpine

it reports as well old CRITICAL CVEs that should be already fixed in the past, but for some reason trivy reports them in the current latest image.

[sagikazarmark]

@MoeBensu can you please confirm that the latest image in fact points to the latest version (check sha256 sum for latest and 2.42.1) and what version of trivy you are running?

[MoeBensu]

@sagikazarmark

trivy image -d dexidp/dex:latest-alpine yields this output

...

2025-04-23T09:22:42+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-04-23T09:22:42+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2025-04-23T09:22:42+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-04-23T09:22:43+02:00	DEBUG	[image] Detected image ID	image_id="sha256:f8142d6c3f886a180ca1b9b7f6e6d420b484051a2aeb5be2c76f142515cba3ff"
2025-04-23T09:22:43+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:ba8d3e2b323ce43e9ec8ef16293e98d3db8200d2636d1904ebfbadcab940555e sha256:ae0e4360eb5e29c6f0294633042c683b2635ec04b8a44442303071ed6ad01fd6 sha256:89f5ceed0df17899ae3fc1c51f7d7e1d9e78b5d2cb5f20df1b041a6056f9ea4e sha256:00e23f6d22e2b6e9e6917211f3636c1043d2d9365348be8ad8b3cdb19544bae1 sha256:e0797cbe265215831b6dcb81708d9f7bb86a3b41b44ab95098bae63379247e56 sha256:7124a78ab881e2f3b496ac6542cdd891233fbfc102181f73bc64d9c2a3453c02 sha256:d45e75b4fdcdd4097d4c0c7a2ad536590674463e9d392d6e4d8cb8ed8cbedfa5 sha256:95017831343d5ab3583e1b6c7ead347cf7bfd8ce789c63d094514bb1aae4b36d sha256:17ea77c7983d4b1ceff469a87000593123538d9cbe7e796794719aaf48434a4d]
2025-04-23T09:22:43+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T09:22:43+02:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-04-23T09:22:43+02:00	WARN	This OS version is not on the EOL list	family="alpine" version="3.21"
2025-04-23T09:22:43+02:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T09:22:43+02:00	INFO	Number of language-specific files	num=3
2025-04-23T09:22:43+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-04-23T09:22:43+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/dex"
2025-04-23T09:22:43+02:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./api/v2"
2025-04-23T09:22:43+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/docker-entrypoint"
2025-04-23T09:22:43+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/gomplate"

trivy --version outputs:

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-04-23 06:18:39.172900945 +0000 UTC
  NextUpdate: 2025-04-24 06:18:39.172900434 +0000 UTC
  DownloadedAt: 2025-04-23 07:19:28.702098 +0000 UTC
...

NOTE: same trivy report with the critical old CVEs I can reproduce on different machines.

docker pull dexidp/dex:latest-alpine outputs

latest-alpine: Pulling from dexidp/dex
6e771e15690e: Pull complete
1a965432f056: Pull complete
2ae7ff8b8356: Pull complete
2580cc516b72: Pull complete
f273537fadcd: Pull complete
9f8b9aff4b7f: Pull complete
047f299e9bb0: Pull complete
9e8287355274: Pull complete
3e69aaee8db6: Pull complete
acdf92030f68: Pull complete
Digest: sha256:8388e1f8457486a80081828619b108fc1f17573597f3708028f563cf0b99954e
Status: Downloaded newer image for dexidp/dex:latest-alpine
docker.io/dexidp/dex:latest-alpine

followed with docker inspect dexidp/dex:latest-alpine

[
    {
        "Id": "sha256:9656a63967f19bfd5192da7880c7ad0247887d17fa1ca7c5e74675f73d4b4b7a",
        "RepoTags": [
            "dexidp/dex:latest-alpine"
        ],
        "RepoDigests": [
            "dexidp/dex@sha256:8388e1f8457486a80081828619b108fc1f17573597f3708028f563cf0b99954e"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2025-04-15T09:36:38.646403771Z",
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "1001:1001",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "dex",
                "serve",
                "/etc/dex/config.docker.yaml"
            ],
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "/",
            "Entrypoint": [
                "/usr/local/bin/docker-entrypoint"
            ],
            "OnBuild": null,
            "Labels": {
                "org.opencontainers.image.created": "2025-04-15T09:31:20.355Z",
                "org.opencontainers.image.description": "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors",
                "org.opencontainers.image.documentation": "https://dexidp.io/docs/",
                "org.opencontainers.image.licenses": "Apache-2.0",
                "org.opencontainers.image.revision": "922e1547b73eb7f1fbb632194e74d69adc55fa8d",
                "org.opencontainers.image.source": "https://github.com/dexidp/dex",
                "org.opencontainers.image.title": "dex",
                "org.opencontainers.image.url": "https://github.com/dexidp/dex",
                "org.opencontainers.image.version": "master"
            }
        },
        "Architecture": "arm64",
        "Os": "linux",
        "Size": 126610267,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/fb2b0f5b8342fcb15443ff6a58a37d7d608b8bd65f45f54a3e519a10ac8233ba/diff:/var/lib/docker/overlay2/d019290d1b0ac0cf3b0fa9e001ba47a47eea9d3eb8c4e060ff5c48cb1d4475e2/diff:/var/lib/docker/overlay2/a7f81412e958efc6a754d75874a2b05f433018d14e2e680291b25bf7b5d0caed/diff:/var/lib/docker/overlay2/56f99aee851f82206aef49b035656ddcc36e47975e89be3d010606c7c667d10a/diff:/var/lib/docker/overlay2/89e53ec3c450921d16c4d0838b2fc47f5a90f7bddb33a4d61fd66f6e71d5039c/diff:/var/lib/docker/overlay2/7c811389335b259b6ee84f4c1d9195a80fabebd7a88e351e41e69fc0dc8a3b20/diff:/var/lib/docker/overlay2/3f174bafd45ee064971d23e7ffbd62bfaa2a99a08c668f68d8e9837394dfeb01/diff:/var/lib/docker/overlay2/ded1fa009c3d59cf6719bcfda3ae641ace5a28d6d027ac110a86eabf097d22da/diff:/var/lib/docker/overlay2/993f9606176ff14740a5921e34862c7da80e8fb32dd1aa7e3934ddc7fd4fd436/diff",
                "MergedDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/merged",
                "UpperDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/diff",
                "WorkDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c",
                "sha256:23d6f726605361848621372bff37e5e675fed8b1b17931aab67ddcd3202159a3",
                "sha256:2373cb89f470e29f86ec6a6a8e55972a4723960baee1fa83fbc6ace3203a940b",
                "sha256:b9ae679078d96d7d9b8177c94d7c5a9ff9cb29ddea7a80c3247300b728bdcf46",
                "sha256:4477e23f3718bdf3afebd93f64c58eacbc29be0099dd5562a4429ecc6d9aaf44",
                "sha256:da5c165ad45fba066ffa10fb908216dbc6b2eac84e3a587b828dc498755ce9e9",
                "sha256:14e0a2f8bad12d670dfe279f7400ae13877c3bf5162c5af7303eb8c53d333a0e",
                "sha256:7651650ebffdf2f92c14612325d5fd4c1651d5239a0a8fae3494025bee4502e1",
                "sha256:33c96c42aaa04f82b8811e42bc4b7ed6c3ae314fbbe41c3f343f98a0055f3713",
                "sha256:fee5daa7e761dab8f78e5f7316f9f03bb31e9943c0dff9fa225bebc66da59a3e"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

[sagikazarmark]

Looks like you have different image IDs in the two scans (which is why using latest is generally not a great idea).

I can't reproduce it with the latest Trivy version.

Can you please upgrade trivy and run scan for a tagged version?

[MoeBensu]

@sagikazarmark
I got same output with a tagged version

[sagikazarmark]

Is it the latest trivy version?

[MoeBensu]

@sagikazarmark No.

Those are the outputs with the new trivy.

trivy image -d dexidp/dex:latest-alpine

2025-04-23T15:00:54+02:00	DEBUG	[image] Detected image ID	image_id="sha256:f8142d6c3f886a180ca1b9b7f6e6d420b484051a2aeb5be2c76f142515cba3ff"
2025-04-23T15:00:54+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:ba8d3e2b323ce43e9ec8ef16293e98d3db8200d2636d1904ebfbadcab940555e sha256:ae0e4360eb5e29c6f0294633042c683b2635ec04b8a44442303071ed6ad01fd6 sha256:89f5ceed0df17899ae3fc1c51f7d7e1d9e78b5d2cb5f20df1b041a6056f9ea4e sha256:00e23f6d22e2b6e9e6917211f3636c1043d2d9365348be8ad8b3cdb19544bae1 sha256:e0797cbe265215831b6dcb81708d9f7bb86a3b41b44ab95098bae63379247e56 sha256:7124a78ab881e2f3b496ac6542cdd891233fbfc102181f73bc64d9c2a3453c02 sha256:d45e75b4fdcdd4097d4c0c7a2ad536590674463e9d392d6e4d8cb8ed8cbedfa5 sha256:95017831343d5ab3583e1b6c7ead347cf7bfd8ce789c63d094514bb1aae4b36d sha256:17ea77c7983d4b1ceff469a87000593123538d9cbe7e796794719aaf48434a4d]
2025-04-23T15:00:54+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T15:00:54+02:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-04-23T15:00:54+02:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T15:00:54+02:00	INFO	Number of language-specific files	num=3
2025-04-23T15:00:54+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-04-23T15:00:54+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/dex"
2025-04-23T15:00:54+02:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./api/v2"
2025-04-23T15:00:54+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/docker-entrypoint"
2025-04-23T15:00:54+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/gomplate"
2025-04-23T15:00:54+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.
2025-04-23T15:00:54+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-04-23T15:00:54+02:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                  Target                  │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:latest-alpine (alpine 3.21.3) │  alpine  │        0        │    -    │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex                        │ gobinary │        3        │    -    │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint          │ gobinary │        3        │    -    │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate                   │ gobinary │        9        │    -    │
└──────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/local/bin/dex (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)

┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version          │ Fixed Version │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed  │ v0.0.0-20250415092641-922e1547b73e │ 2.27.0        │ Critical security issues in XML encoding in                 │
│                       │                │          │        │                                    │               │ github.com/dexidp/dex                                       │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2020-26290                  │
│                       ├────────────────┤          │        │                                    │               ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-27847 │          │        │                                    │               │ dexidp/dex: authentication bypass in saml authentication    │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2020-27847                  │
│                       ├────────────────┤          │        │                                    ├───────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-39222 │          │        │                                    │ 2.35.0        │ dexidp: gaining access to applications accepting that token │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-39222                  │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/docker-entrypoint (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)

┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version          │ Fixed Version │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed  │ v0.0.0-20250415092641-922e1547b73e │ 2.27.0        │ Critical security issues in XML encoding in                 │
│                       │                │          │        │                                    │               │ github.com/dexidp/dex                                       │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2020-26290                  │
│                       ├────────────────┤          │        │                                    │               ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-27847 │          │        │                                    │               │ dexidp/dex: authentication bypass in saml authentication    │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2020-27847                  │
│                       ├────────────────┤          │        │                                    ├───────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-39222 │          │        │                                    │ 2.35.0        │ dexidp: gaining access to applications accepting that token │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-39222                  │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

usr/local/bin/gomplate (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM   │ fixed  │ v4.0.2            │ 4.0.5                        │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service   │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-27144                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5  │ CVE-2025-30204 │ HIGH     │        │ v5.2.1            │ 5.2.2                        │ golang-jwt/jwt: jwt-go allows excessive memory allocation    │
│                               │                │          │        │                   │                              │ during header parsing                                        │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-30204                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto           │ CVE-2025-22869 │          │        │ v0.31.0           │ 0.35.0                       │ golang.org/x/crypto/ssh: Denial of Service in the Key        │
│                               │                │          │        │                   │                              │ Exchange of golang.org/x/crypto/ssh                          │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22869                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2025-22870 │ MEDIUM   │        │ v0.32.0           │ 0.36.0                       │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                               │                │          │        │                   │                              │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22872 │          │        │                   │ 0.38.0                       │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                               │                │          │        │                   │                              │ During Web Page Generation in x/net in...                    │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                        │ CVE-2024-45336 │          │        │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                               │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                               ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                               │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                               │                │          │        │                   │                              │ bypass URI name...                                           │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                               │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│                               │                │          │        │                   │                              │ chunked data in net/http...                                  │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

With tagged version:
trivy image -d dexidp/dex:v2.42.1-alpine

2025-04-23T15:02:33+02:00	DEBUG	[image] Detected image ID	image_id="sha256:d915450439a8edc8f2224005d6fe389c6e5238582f2b004cd7d5273c96653011"
2025-04-23T15:02:33+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:016a18e925e10e1b8c73fd272e53a01e11234b248144d082f626a6e3e9527baf sha256:454f18775877c5c3a39430fb70dc60429e122794c82d540e361beab158ab0e37 sha256:e180cb14417aedfed8f48b0df9c820c284b5c4fcbce5ce6d14d1cf37427b66b3 sha256:c2138b24b36efd43feaa7688055ca88174f71f409ed174a485b62abe93a36549 sha256:dc62b2d5c3fcb3a87132c80060865953ae0da643b5c57f496d6f1bac0a0750f2 sha256:b3f1b582afd9c31497d3b3237be101872c3ce033c4373d8dd28592dbf8787710 sha256:13c3541a7a5fd1418a6c8a082dd5e71fcda194ab7d9a8e366e213fa7148f0067 sha256:a1d3f2472bdb939e3c5216285285a7f894677d8c134738ac6e2e3412556c2555 sha256:3364b06a600f67d722818a075161eb311c79b5610baf7e8ba5f03db8fc19e6a6]
2025-04-23T15:02:33+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T15:02:33+02:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-04-23T15:02:33+02:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T15:02:33+02:00	INFO	Number of language-specific files	num=3
2025-04-23T15:02:33+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-04-23T15:02:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/dex"
2025-04-23T15:02:33+02:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./api/v2"
2025-04-23T15:02:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/docker-entrypoint"
2025-04-23T15:02:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/gomplate"
2025-04-23T15:02:33+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.
2025-04-23T15:02:33+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-04-23T15:02:33+02:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                  Target                   │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:v2.42.1-alpine (alpine 3.21.3) │  alpine  │        0        │    -    │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex                         │ gobinary │        5        │    -    │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint           │ gobinary │        1        │    -    │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate                    │ gobinary │        9        │    -    │
└───────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/local/bin/dex (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                            │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM   │ fixed  │ v4.0.4            │ 4.0.5          │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│                               │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-27144                 │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto           │ CVE-2025-22869 │ HIGH     │        │ v0.33.0           │ 0.35.0         │ golang.org/x/crypto/ssh: Denial of Service in the Key      │
│                               │                │          │        │                   │                │ Exchange of golang.org/x/crypto/ssh                        │
│                               │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22869                 │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2025-22870 │ MEDIUM   │        │ v0.35.0           │ 0.36.0         │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:   │
│                               │                │          │        │                   │                │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net  │
│                               │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22870                 │
│                               ├────────────────┤          │        │                   ├────────────────┼────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22872 │          │        │                   │ 0.38.0         │ golang.org/x/net/html: Incorrect Neutralization of Input   │
│                               │                │          │        │                   │                │ During Web Page Generation in x/net in...                  │
│                               │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22872                 │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib                        │ CVE-2025-22871 │          │        │ v1.24.0           │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid   │
│                               │                │          │        │                   │                │ chunked data in net/http...                                │
│                               │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22871                 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘

usr/local/bin/docker-entrypoint (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-22871 │ MEDIUM   │ fixed  │ v1.24.0           │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│         │                │          │        │                   │                │ chunked data in net/http...                              │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2025-22871               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/gomplate (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM   │ fixed  │ v4.0.2            │ 4.0.5                        │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service   │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-27144                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5  │ CVE-2025-30204 │ HIGH     │        │ v5.2.1            │ 5.2.2                        │ golang-jwt/jwt: jwt-go allows excessive memory allocation    │
│                               │                │          │        │                   │                              │ during header parsing                                        │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-30204                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto           │ CVE-2025-22869 │          │        │ v0.31.0           │ 0.35.0                       │ golang.org/x/crypto/ssh: Denial of Service in the Key        │
│                               │                │          │        │                   │                              │ Exchange of golang.org/x/crypto/ssh                          │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22869                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net              │ CVE-2025-22870 │ MEDIUM   │        │ v0.32.0           │ 0.36.0                       │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                               │                │          │        │                   │                              │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22872 │          │        │                   │ 0.38.0                       │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                               │                │          │        │                   │                              │ During Web Page Generation in x/net in...                    │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                        │ CVE-2024-45336 │          │        │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                               │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                               ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                               │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                               │                │          │        │                   │                              │ bypass URI name...                                           │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                               │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│                               ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│                               │                │          │        │                   │                              │ chunked data in net/http...                                  │
│                               │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

trivy --version yields

Version: 0.61.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-04-23 06:18:39.172900945 +0000 UTC
  NextUpdate: 2025-04-24 06:18:39.172900434 +0000 UTC
  DownloadedAt: 2025-04-23 07:19:28.702098 +0000 UTC
...

But the question would be, is it safe to reference the tag latest-apline? Since trivy there reports those old Criticals. Sometimes, one needs the current state of master instead of waiting till next official tagged release.

[sagikazarmark]

It's a false positive: trivy can't detect the correct version.

I'll take a look later, but we supposedly fixed that in 2.42.1 and with the latest trivy those critical vulnerabilities disappeared.

[sagikazarmark]

It's generally not a good idea to reference latest (or moving tags in general).

It depends on the client whether it pulls the latest tag or uses a locally available version, so you can never be sure that latest is actually the latest available version.

[arteonprifti]

Hello, I have tested with the latest trivy and those CVEs still show up:

docker run aquasec/trivy:0.62.0  image -d dexidp/dex:v2.42.1
...
Report Summary

┌────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│               Target               │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:v2.42.1 (alpine 3.21.3) │  alpine  │        0        │    -    │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex                  │ gobinary │        5        │    -    │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint    │ gobinary │        1        │    -    │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate             │ gobinary │        9        │    -    │
└────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
...

Anything you can do about it?

[nabokihms]

@MoeBensu you cannot scan the latest dex image with trivy for now. In our case, trivy gets the version from ldflags, and for the latest images flags are equal to -ldflags="-w -X main.version=master -extldflags \"-static\"". In this case, trivy instead of using master takes the fake v0.0.0- version from the go buildinfo mod github.com/dexidp/dex v0.0.0-20250512145216-f7ead820a850.

For us as Dex maintainers, the only option is to set main.version to something meaningful, e.g., the next tag v2.43.0-rc.1.

You can find more about the problem in this discussion aquasecurity/trivy#8431