Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

testkube-api-server-2.3.0_linux_amd64

digestsha256:472da05cd6a7e5135970fbffd7ae547c098b6fb416805bd982872119d862e1c3
vulnerabilitiescritical: 0 high: 14 medium: 15 low: 5
platformlinux/amd64
size71 MB
packages255
critical: 0 high: 6 medium: 1 low: 1 git 2.45.3-r0 (apk)

pkg:apk/alpine/git@2.45.3-r0?arch=x86_64&distro=alpine-3.20.6

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

high : CVE--2025--48385

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.145%
EPSS Percentile36th percentile
Description

high : CVE--2025--46334

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.026%
EPSS Percentile6th percentile
Description

high : CVE--2025--27614

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.027%
EPSS Percentile6th percentile
Description

high : CVE--2025--46835

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.028%
EPSS Percentile7th percentile
Description

high : CVE--2025--48384

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score2.743%
EPSS Percentile86th percentile
Description

high : CVE--2024--52005

Affected range<=2.45.3-r0
Fixed versionNot Fixed
EPSS Score0.121%
EPSS Percentile32nd percentile
Description

medium : CVE--2025--48386

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.017%
EPSS Percentile3rd percentile
Description

low : CVE--2025--27613

Affected range<2.45.4-r0
Fixed version2.45.4-r0
EPSS Score0.029%
EPSS Percentile7th percentile
Description
critical: 0 high: 2 medium: 7 low: 1 stdlib 1.25.1 (golang)

pkg:golang/stdlib@1.25.1

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

high : CVE--2025--61725

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.030%
EPSS Percentile8th percentile
Description

The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

high : CVE--2025--58188

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.024%
EPSS Percentile5th percentile
Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2025--61723

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.029%
EPSS Percentile7th percentile
Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

medium : CVE--2025--58187

Affected range
>=1.25.0
<1.25.3
Fixed version1.25.3
EPSS Score0.008%
EPSS Percentile1st percentile
Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2025--61724

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.039%
EPSS Percentile11th percentile
Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

medium : CVE--2025--58189

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.029%
EPSS Percentile7th percentile
Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

medium : CVE--2025--58186

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.039%
EPSS Percentile11th percentile
Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

medium : CVE--2025--58185

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.019%
EPSS Percentile4th percentile
Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

medium : CVE--2025--47912

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.043%
EPSS Percentile13th percentile
Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

low : CVE--2025--58183

Affected range
>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.006%
EPSS Percentile0th percentile
Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

critical: 0 high: 2 medium: 3 low: 0 libcurl 8.12.1-r0 (apk)

pkg:apk/alpine/libcurl@8.12.1-r0?arch=x86_64&distro=alpine-3.20.6&upstream=curl

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

high : CVE--2025--9086

Affected range<8.14.1-r2
Fixed version8.14.1-r2
EPSS Score0.054%
EPSS Percentile17th percentile
Description

high : CVE--2025--5399

Affected range<8.14.1-r0
Fixed version8.14.1-r0
EPSS Score0.027%
EPSS Percentile6th percentile
Description

medium : CVE--2025--4947

Affected range<8.14.0-r0
Fixed version8.14.0-r0
EPSS Score0.019%
EPSS Percentile4th percentile
Description

medium : CVE--2025--10148

Affected range<8.14.1-r2
Fixed version8.14.1-r2
EPSS Score0.039%
EPSS Percentile11th percentile
Description

medium : CVE--2025--5025

Affected range<8.14.0-r0
Fixed version8.14.0-r0
EPSS Score0.021%
EPSS Percentile4th percentile
Description
critical: 0 high: 1 medium: 2 low: 0 libssl3 3.3.3-r0 (apk)

pkg:apk/alpine/libssl3@3.3.3-r0?arch=x86_64&distro=alpine-3.20.6&upstream=openssl

# api-server.Dockerfile (33:33)
FROM ${ALPINE_IMAGE}

high : CVE--2025--9230

Affected range<3.3.5-r0
Fixed version3.3.5-r0
EPSS Score0.029%
EPSS Percentile7th percentile
Description

medium : CVE--2025--9231

Affected range<3.3.5-r0
Fixed version3.3.5-r0
EPSS Score0.014%
EPSS Percentile2nd percentile
Description

medium : CVE--2025--9232

Affected range<3.3.5-r0
Fixed version3.3.5-r0
EPSS Score0.026%
EPSS Percentile6th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 libexpat 2.7.0-r0 (apk)

pkg:apk/alpine/libexpat@2.7.0-r0?arch=x86_64&distro=alpine-3.20.6&upstream=expat

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

high : CVE--2025--59375

Affected range<2.7.2-r0
Fixed version2.7.2-r0
EPSS Score0.102%
EPSS Percentile29th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 c-ares 1.33.1-r0 (apk)

pkg:apk/alpine/c-ares@1.33.1-r0?arch=x86_64&distro=alpine-3.20.6

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

high : CVE--2025--31498

Affected range<=1.33.1-r0
Fixed versionNot Fixed
EPSS Score0.123%
EPSS Percentile32nd percentile
Description
critical: 0 high: 1 medium: 0 low: 0 github.com/gofiber/fiber/v2 2.52.5 (golang)

pkg:golang/github.com/gofiber/fiber@2.52.5#v2

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

high 8.7: CVE--2025--54801 Memory Allocation with Excessive Size Value

Affected range<=2.52.8
Fixed version2.52.9
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.063%
EPSS Percentile20th percentile
Description

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data

package main

import (
	"fmt"
	"net/http"

	"github.com/gofiber/fiber/v2"
)

type RequestBody struct {
	NestedContent []*struct{} `form:"test"`
}

func main() {
	app := fiber.New()

	app.Post("/", func(c *fiber.Ctx) error {
		formData := RequestBody{}
		if err := c.BodyParser(&formData); err != nil {
			fmt.Println(err)
			return c.SendStatus(http.StatusUnprocessableEntity)
		}
		return nil
	})

	fmt.Println(app.Listen(":3000"))
}

Run the server and send a POST request with a large numeric key in form data, such as:

curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'

Relevant Code Snippet

Within the decoder's decode method:

idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}

The idx is not validated before use, leading to unsafe slice allocation for extremely large values.

Impact

  • Application panic or crash on malicious or malformed input.
  • Potential denial of service (DoS) via memory exhaustion or server crash.
  • Lack of defensive checks in the parsing code causes instability.
critical: 0 high: 0 medium: 1 low: 0 github.com/vektah/gqlparser/v2 2.5.2-0.20230422221642-25e09f9d292d (golang)

pkg:golang/github.com/vektah/gqlparser@2.5.2-0.20230422221642-25e09f9d292d#v2

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

medium 5.3: CVE--2023--49559 Uncontrolled Resource Consumption

Affected range<2.5.14
Fixed version2.5.14
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.116%
EPSS Percentile31st percentile
Description

An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function.

critical: 0 high: 0 medium: 1 low: 0 gopkg.in/square/go-jose.v2 2.6.0 (golang)

pkg:golang/gopkg.in/square/go-jose.v2@2.6.0

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

medium 4.3: CVE--2024--28180 Improper Handling of Highly Compressed Data (Data Amplification)

Affected range<=2.6.0
Fixed versionNot Fixed
CVSS Score4.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score0.247%
EPSS Percentile48th percentile
Description

Impact

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.

Patches

The problem is fixed in the following packages and versions:

  • github.com/go-jose/go-jose/v4 version 4.0.1
  • github.com/go-jose/go-jose/v3 version 3.0.3
  • gopkg.in/go-jose/go-jose.v2 version 2.6.3

The problem will not be fixed in the following package because the package is archived:

  • gopkg.in/square/go-jose.v2
critical: 0 high: 0 medium: 0 low: 2 ssl_client 1.36.1-r29 (apk)

pkg:apk/alpine/ssl_client@1.36.1-r29?arch=x86_64&distro=alpine-3.20.6&upstream=busybox

# api-server.Dockerfile (33:33)
FROM ${ALPINE_IMAGE}

low : CVE--2025--46394

Affected range<=1.36.1-r30
Fixed versionNot Fixed
EPSS Score0.015%
EPSS Percentile2nd percentile
Description

low : CVE--2024--58251

Affected range<=1.36.1-r30
Fixed versionNot Fixed
EPSS Score0.017%
EPSS Percentile3rd percentile
Description
critical: 0 high: 0 medium: 0 low: 1 github.com/docker/docker 27.3.1+incompatible (golang)

pkg:golang/github.com/docker/docker@27.3.1%2Bincompatible

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

low 3.3: CVE--2025--54410 Missing Initialization of Resource

Affected range
>=26.0.0-rc1
<28.0.0
Fixed version28.0.0
CVSS Score3.3
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score0.006%
EPSS Percentile0th percentile
Description

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.

Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.

Workarounds

After reloading firewalld, either:

  • Restart the docker daemon,
  • Re-create bridge networks, or
  • Use rootless mode.

References

https://firewalld.org/ https://firewalld.org/documentation/howto/reload-firewalld.html