Description
Hi team,
We’re in the process of upgrading to Kubernetes 1.31 and using the cluster-autoscaler:v1.31.2 image from this repo. During our internal security scan, a few known vulnerabilities were flagged in the image’s dependencies.
Here's the list of CVEs that came up:
CVEs detected:
CVE-2025-30204 – Affects golang-jwt/jwt v4.5.0 & v5.2.1 (Fixed in 4.5.2 / 5.2.2)
A parsing issue in ParseUnverified can lead to security risks if misused.
CVE-2024-45338 – Affects golang.org/x/net/html v0.26.0 (Fixed in 0.33.0)
Potential DoS from non-linear parsing of crafted inputs.
CVE-2025-22872 – Affects golang.org/x/net/html v0.26.0 (Fixed in 0.38.0)
Incorrect handling of self-closing tags with unquoted attribute values.
CVE-2024-45310 – Affects runc v1.1.13 (Fixed in 1.1.14 / 1.2.0-rc.3)
Vulnerability in OCI runtime execution logic.
CVE-2024-35255 – Affects Azure SDK for Go v1.5.2 (Fixed in 1.6.0)
Elevation of privilege in Azure Identity library.
CVE-2024-51744 – Affects golang-jwt/jwt v4.5.0 (Fixed in 4.5.1)
Error handling confusion in ParseWithClaims.
It’d be great if these dependencies could be updated or the image could be rebuilt with patched versions.