dexidp
CVEs are active again
Preflight Checklist
- [x] I agree to follow the Code of Conduct that this project adheres to.
- [x] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [x] I am not looking for support or already pursued the available support channels without success.
Version
2.42.0
Storage Type
etcd
Installation Type
Official container image
Expected Behavior
The image does not show any CVEs that have already been fixed when scanned with a vulnerability scanner.
Actual Behavior
The vulnerability scanner shows the following CVEs again.
usr/local/bin/dex (gobinary)
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 3)
┌───────────────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├───────────────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250219130842-7d1a7473c8a0+dirty │ 2.27.0 │ Critical security issues in XML encoding in │ │ │ │ │ │ │ │ github.com/dexidp/dex │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │ │ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │ │ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │ ├───────────────────────────────┼────────────────┼──────────┤ ├──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ │ v4.0.4 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │ ├───────────────────────────────┼────────────────┤ │ ├──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2025-22870 │ │ │ v0.35.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │ │ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │ └───────────────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/bin/docker-entrypoint (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)
┌───────────────────────┬────────────────┬──────────┬────────┬──────────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼──────────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250219130842-7d1a7473c8a0+dirty │ 2.27.0 │ Critical security issues in XML encoding in │
│ │ │ │ │ │ │ github.com/dexidp/dex
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │
└───────────────────────┴────────────────┴──────────┴────────┴──────────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/bin/gomplate (gobinary)
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ fixed │ v4.0.2 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5 │ CVE-2025-30204 │ HIGH │ │ v5.2.1 │ 5.2.2 │ golang-jwt/jwt: jwt-go allows excessive memory allocation │
│ │ │ │ │ │ │ during header parsing
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-30204 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.32.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-45336 │ │ │ v1.23.4 │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name...
│
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
Steps To Reproduce
- run
trivy image dexidp/dex:v2.42.0 - see the report
Additional Information
the provided version of the cli is strange
- github.com/dexidp/dex:v0.0.0-20250219130842-7d1a7473c8a0+dirty
Configuration
Logs
Your new version 2.42.1 does not fix the problem.
Could it be due to your versioning of the cli?
0.0.0-20250414234518-4c3e83b90135
What trivy version do you use? I tried the latest and it reports the dex version correctly
@sagikazarmark When running i.e. trivy image -v dexidp/dex:latest-alpine
it reports as well old CRITICAL CVEs that should be already fixed in the past, but for some reason trivy reports them in the current latest image.
@MoeBensu can you please confirm that the latest image in fact points to the latest version (check sha256 sum for latest and 2.42.1) and what version of trivy you are running?
@sagikazarmark
trivy image -d dexidp/dex:latest-alpine yields this output
...
2025-04-23T09:22:42+02:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2025-04-23T09:22:42+02:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled
2025-04-23T09:22:42+02:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2025-04-23T09:22:43+02:00 DEBUG [image] Detected image ID image_id="sha256:f8142d6c3f886a180ca1b9b7f6e6d420b484051a2aeb5be2c76f142515cba3ff"
2025-04-23T09:22:43+02:00 DEBUG [image] Detected diff ID diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:ba8d3e2b323ce43e9ec8ef16293e98d3db8200d2636d1904ebfbadcab940555e sha256:ae0e4360eb5e29c6f0294633042c683b2635ec04b8a44442303071ed6ad01fd6 sha256:89f5ceed0df17899ae3fc1c51f7d7e1d9e78b5d2cb5f20df1b041a6056f9ea4e sha256:00e23f6d22e2b6e9e6917211f3636c1043d2d9365348be8ad8b3cdb19544bae1 sha256:e0797cbe265215831b6dcb81708d9f7bb86a3b41b44ab95098bae63379247e56 sha256:7124a78ab881e2f3b496ac6542cdd891233fbfc102181f73bc64d9c2a3453c02 sha256:d45e75b4fdcdd4097d4c0c7a2ad536590674463e9d392d6e4d8cb8ed8cbedfa5 sha256:95017831343d5ab3583e1b6c7ead347cf7bfd8ce789c63d094514bb1aae4b36d sha256:17ea77c7983d4b1ceff469a87000593123538d9cbe7e796794719aaf48434a4d]
2025-04-23T09:22:43+02:00 DEBUG [image] Detected base layers diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T09:22:43+02:00 INFO Detected OS family="alpine" version="3.21.3"
2025-04-23T09:22:43+02:00 WARN This OS version is not on the EOL list family="alpine" version="3.21"
2025-04-23T09:22:43+02:00 INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T09:22:43+02:00 INFO Number of language-specific files num=3
2025-04-23T09:22:43+02:00 INFO [gobinary] Detecting vulnerabilities...
2025-04-23T09:22:43+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/dex"
2025-04-23T09:22:43+02:00 DEBUG [gobinary] Skipping vulnerability scan as no version is detected for the package name="./api/v2"
2025-04-23T09:22:43+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/docker-entrypoint"
2025-04-23T09:22:43+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/gomplate"
trivy --version outputs:
Version: 0.53.0
Vulnerability DB:
Version: 2
UpdatedAt: 2025-04-23 06:18:39.172900945 +0000 UTC
NextUpdate: 2025-04-24 06:18:39.172900434 +0000 UTC
DownloadedAt: 2025-04-23 07:19:28.702098 +0000 UTC
...
NOTE: same trivy report with the critical old CVEs I can reproduce on different machines.
docker pull dexidp/dex:latest-alpine outputs
latest-alpine: Pulling from dexidp/dex
6e771e15690e: Pull complete
1a965432f056: Pull complete
2ae7ff8b8356: Pull complete
2580cc516b72: Pull complete
f273537fadcd: Pull complete
9f8b9aff4b7f: Pull complete
047f299e9bb0: Pull complete
9e8287355274: Pull complete
3e69aaee8db6: Pull complete
acdf92030f68: Pull complete
Digest: sha256:8388e1f8457486a80081828619b108fc1f17573597f3708028f563cf0b99954e
Status: Downloaded newer image for dexidp/dex:latest-alpine
docker.io/dexidp/dex:latest-alpine
followed with docker inspect dexidp/dex:latest-alpine
[
{
"Id": "sha256:9656a63967f19bfd5192da7880c7ad0247887d17fa1ca7c5e74675f73d4b4b7a",
"RepoTags": [
"dexidp/dex:latest-alpine"
],
"RepoDigests": [
"dexidp/dex@sha256:8388e1f8457486a80081828619b108fc1f17573597f3708028f563cf0b99954e"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2025-04-15T09:36:38.646403771Z",
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "1001:1001",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"dex",
"serve",
"/etc/dex/config.docker.yaml"
],
"ArgsEscaped": true,
"Image": "",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": [
"/usr/local/bin/docker-entrypoint"
],
"OnBuild": null,
"Labels": {
"org.opencontainers.image.created": "2025-04-15T09:31:20.355Z",
"org.opencontainers.image.description": "OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors",
"org.opencontainers.image.documentation": "https://dexidp.io/docs/",
"org.opencontainers.image.licenses": "Apache-2.0",
"org.opencontainers.image.revision": "922e1547b73eb7f1fbb632194e74d69adc55fa8d",
"org.opencontainers.image.source": "https://github.com/dexidp/dex",
"org.opencontainers.image.title": "dex",
"org.opencontainers.image.url": "https://github.com/dexidp/dex",
"org.opencontainers.image.version": "master"
}
},
"Architecture": "arm64",
"Os": "linux",
"Size": 126610267,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/fb2b0f5b8342fcb15443ff6a58a37d7d608b8bd65f45f54a3e519a10ac8233ba/diff:/var/lib/docker/overlay2/d019290d1b0ac0cf3b0fa9e001ba47a47eea9d3eb8c4e060ff5c48cb1d4475e2/diff:/var/lib/docker/overlay2/a7f81412e958efc6a754d75874a2b05f433018d14e2e680291b25bf7b5d0caed/diff:/var/lib/docker/overlay2/56f99aee851f82206aef49b035656ddcc36e47975e89be3d010606c7c667d10a/diff:/var/lib/docker/overlay2/89e53ec3c450921d16c4d0838b2fc47f5a90f7bddb33a4d61fd66f6e71d5039c/diff:/var/lib/docker/overlay2/7c811389335b259b6ee84f4c1d9195a80fabebd7a88e351e41e69fc0dc8a3b20/diff:/var/lib/docker/overlay2/3f174bafd45ee064971d23e7ffbd62bfaa2a99a08c668f68d8e9837394dfeb01/diff:/var/lib/docker/overlay2/ded1fa009c3d59cf6719bcfda3ae641ace5a28d6d027ac110a86eabf097d22da/diff:/var/lib/docker/overlay2/993f9606176ff14740a5921e34862c7da80e8fb32dd1aa7e3934ddc7fd4fd436/diff",
"MergedDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/merged",
"UpperDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/diff",
"WorkDir": "/var/lib/docker/overlay2/24f738158c8103b9337590ed2b342d4e47fee7689bc7d036ab52e246393c5c26/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c",
"sha256:23d6f726605361848621372bff37e5e675fed8b1b17931aab67ddcd3202159a3",
"sha256:2373cb89f470e29f86ec6a6a8e55972a4723960baee1fa83fbc6ace3203a940b",
"sha256:b9ae679078d96d7d9b8177c94d7c5a9ff9cb29ddea7a80c3247300b728bdcf46",
"sha256:4477e23f3718bdf3afebd93f64c58eacbc29be0099dd5562a4429ecc6d9aaf44",
"sha256:da5c165ad45fba066ffa10fb908216dbc6b2eac84e3a587b828dc498755ce9e9",
"sha256:14e0a2f8bad12d670dfe279f7400ae13877c3bf5162c5af7303eb8c53d333a0e",
"sha256:7651650ebffdf2f92c14612325d5fd4c1651d5239a0a8fae3494025bee4502e1",
"sha256:33c96c42aaa04f82b8811e42bc4b7ed6c3ae314fbbe41c3f343f98a0055f3713",
"sha256:fee5daa7e761dab8f78e5f7316f9f03bb31e9943c0dff9fa225bebc66da59a3e"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
Looks like you have different image IDs in the two scans (which is why using latest is generally not a great idea).
I can't reproduce it with the latest Trivy version.
Can you please upgrade trivy and run scan for a tagged version?
@sagikazarmark No.
Those are the outputs with the new trivy.
trivy image -d dexidp/dex:latest-alpine
2025-04-23T15:00:54+02:00 DEBUG [image] Detected image ID image_id="sha256:f8142d6c3f886a180ca1b9b7f6e6d420b484051a2aeb5be2c76f142515cba3ff"
2025-04-23T15:00:54+02:00 DEBUG [image] Detected diff ID diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:ba8d3e2b323ce43e9ec8ef16293e98d3db8200d2636d1904ebfbadcab940555e sha256:ae0e4360eb5e29c6f0294633042c683b2635ec04b8a44442303071ed6ad01fd6 sha256:89f5ceed0df17899ae3fc1c51f7d7e1d9e78b5d2cb5f20df1b041a6056f9ea4e sha256:00e23f6d22e2b6e9e6917211f3636c1043d2d9365348be8ad8b3cdb19544bae1 sha256:e0797cbe265215831b6dcb81708d9f7bb86a3b41b44ab95098bae63379247e56 sha256:7124a78ab881e2f3b496ac6542cdd891233fbfc102181f73bc64d9c2a3453c02 sha256:d45e75b4fdcdd4097d4c0c7a2ad536590674463e9d392d6e4d8cb8ed8cbedfa5 sha256:95017831343d5ab3583e1b6c7ead347cf7bfd8ce789c63d094514bb1aae4b36d sha256:17ea77c7983d4b1ceff469a87000593123538d9cbe7e796794719aaf48434a4d]
2025-04-23T15:00:54+02:00 DEBUG [image] Detected base layers diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T15:00:54+02:00 INFO Detected OS family="alpine" version="3.21.3"
2025-04-23T15:00:54+02:00 INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T15:00:54+02:00 INFO Number of language-specific files num=3
2025-04-23T15:00:54+02:00 INFO [gobinary] Detecting vulnerabilities...
2025-04-23T15:00:54+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/dex"
2025-04-23T15:00:54+02:00 DEBUG [gobinary] Skipping vulnerability scan as no version is detected for the package name="./api/v2"
2025-04-23T15:00:54+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/docker-entrypoint"
2025-04-23T15:00:54+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/gomplate"
2025-04-23T15:00:54+02:00 WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.
2025-04-23T15:00:54+02:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-04-23T15:00:54+02:00 DEBUG [vex] VEX filtering is disabled
Report Summary
┌──────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:latest-alpine (alpine 3.21.3) │ alpine │ 0 │ - │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex │ gobinary │ 3 │ - │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint │ gobinary │ 3 │ - │
├──────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate │ gobinary │ 9 │ - │
└──────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
usr/local/bin/dex (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)
┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250415092641-922e1547b73e │ 2.27.0 │ Critical security issues in XML encoding in │
│ │ │ │ │ │ │ github.com/dexidp/dex │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/bin/docker-entrypoint (gobinary)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 3)
┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/dexidp/dex │ CVE-2020-26290 │ CRITICAL │ fixed │ v0.0.0-20250415092641-922e1547b73e │ 2.27.0 │ Critical security issues in XML encoding in │
│ │ │ │ │ │ │ github.com/dexidp/dex │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26290 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2020-27847 │ │ │ │ │ dexidp/dex: authentication bypass in saml authentication │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-27847 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-39222 │ │ │ │ 2.35.0 │ dexidp: gaining access to applications accepting that token │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-39222 │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/bin/gomplate (gobinary)
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)
┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ fixed │ v4.0.2 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5 │ CVE-2025-30204 │ HIGH │ │ v5.2.1 │ 5.2.2 │ golang-jwt/jwt: jwt-go allows excessive memory allocation │
│ │ │ │ │ │ │ during header parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-30204 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ │ │ v0.31.0 │ 0.35.0 │ golang.org/x/crypto/ssh: Denial of Service in the Key │
│ │ │ │ │ │ │ Exchange of golang.org/x/crypto/ssh │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22869 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.32.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22872 │ │ │ │ 0.38.0 │ golang.org/x/net/html: Incorrect Neutralization of Input │
│ │ │ │ │ │ │ During Web Page Generation in x/net in... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22872 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-45336 │ │ │ v1.23.4 │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22871 │ │ │ │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│ │ │ │ │ │ │ chunked data in net/http... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22871 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
With tagged version:
trivy image -d dexidp/dex:v2.42.1-alpine
2025-04-23T15:02:33+02:00 DEBUG [image] Detected image ID image_id="sha256:d915450439a8edc8f2224005d6fe389c6e5238582f2b004cd7d5273c96653011"
2025-04-23T15:02:33+02:00 DEBUG [image] Detected diff ID diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:016a18e925e10e1b8c73fd272e53a01e11234b248144d082f626a6e3e9527baf sha256:454f18775877c5c3a39430fb70dc60429e122794c82d540e361beab158ab0e37 sha256:e180cb14417aedfed8f48b0df9c820c284b5c4fcbce5ce6d14d1cf37427b66b3 sha256:c2138b24b36efd43feaa7688055ca88174f71f409ed174a485b62abe93a36549 sha256:dc62b2d5c3fcb3a87132c80060865953ae0da643b5c57f496d6f1bac0a0750f2 sha256:b3f1b582afd9c31497d3b3237be101872c3ce033c4373d8dd28592dbf8787710 sha256:13c3541a7a5fd1418a6c8a082dd5e71fcda194ab7d9a8e366e213fa7148f0067 sha256:a1d3f2472bdb939e3c5216285285a7f894677d8c134738ac6e2e3412556c2555 sha256:3364b06a600f67d722818a075161eb311c79b5610baf7e8ba5f03db8fc19e6a6]
2025-04-23T15:02:33+02:00 DEBUG [image] Detected base layers diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-04-23T15:02:33+02:00 INFO Detected OS family="alpine" version="3.21.3"
2025-04-23T15:02:33+02:00 INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=15
2025-04-23T15:02:33+02:00 INFO Number of language-specific files num=3
2025-04-23T15:02:33+02:00 INFO [gobinary] Detecting vulnerabilities...
2025-04-23T15:02:33+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/dex"
2025-04-23T15:02:33+02:00 DEBUG [gobinary] Skipping vulnerability scan as no version is detected for the package name="./api/v2"
2025-04-23T15:02:33+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/docker-entrypoint"
2025-04-23T15:02:33+02:00 DEBUG [gobinary] Scanning packages for vulnerabilities file_path="usr/local/bin/gomplate"
2025-04-23T15:02:33+02:00 WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.61/docs/scanner/vulnerability#severity-selection for details.
2025-04-23T15:02:33+02:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-04-23T15:02:33+02:00 DEBUG [vex] VEX filtering is disabled
Report Summary
┌───────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:v2.42.1-alpine (alpine 3.21.3) │ alpine │ 0 │ - │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex │ gobinary │ 5 │ - │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint │ gobinary │ 1 │ - │
├───────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate │ gobinary │ 9 │ - │
└───────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
usr/local/bin/dex (gobinary)
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ fixed │ v4.0.4 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ HIGH │ │ v0.33.0 │ 0.35.0 │ golang.org/x/crypto/ssh: Denial of Service in the Key │
│ │ │ │ │ │ │ Exchange of golang.org/x/crypto/ssh │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22869 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.35.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
│ ├────────────────┤ │ │ ├────────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22872 │ │ │ │ 0.38.0 │ golang.org/x/net/html: Incorrect Neutralization of Input │
│ │ │ │ │ │ │ During Web Page Generation in x/net in... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22872 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22871 │ │ │ v1.24.0 │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│ │ │ │ │ │ │ chunked data in net/http... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22871 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘
usr/local/bin/docker-entrypoint (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22871 │ MEDIUM │ fixed │ v1.24.0 │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│ │ │ │ │ │ │ chunked data in net/http... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22871 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────┘
usr/local/bin/gomplate (gobinary)
Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 2, CRITICAL: 0)
┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v4 │ CVE-2025-27144 │ MEDIUM │ fixed │ v4.0.2 │ 4.0.5 │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-27144 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v5 │ CVE-2025-30204 │ HIGH │ │ v5.2.1 │ 5.2.2 │ golang-jwt/jwt: jwt-go allows excessive memory allocation │
│ │ │ │ │ │ │ during header parsing │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-30204 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ │ │ v0.31.0 │ 0.35.0 │ golang.org/x/crypto/ssh: Denial of Service in the Key │
│ │ │ │ │ │ │ Exchange of golang.org/x/crypto/ssh │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22869 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM │ │ v0.32.0 │ 0.36.0 │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: │
│ │ │ │ │ │ │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22870 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22872 │ │ │ │ 0.38.0 │ golang.org/x/net/html: Incorrect Neutralization of Input │
│ │ │ │ │ │ │ During Web Page Generation in x/net in... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22872 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-45336 │ │ │ v1.23.4 │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly │
│ │ │ │ │ │ │ sent after cross-domain redirect │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45336 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-45341 │ │ │ │ │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│ │ │ │ │ │ │ bypass URI name... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45341 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22866 │ │ │ │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
│ ├────────────────┤ │ │ ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-22871 │ │ │ │ 1.23.8, 1.24.2 │ net/http: Request smuggling due to acceptance of invalid │
│ │ │ │ │ │ │ chunked data in net/http... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22871 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
trivy --version yields
Version: 0.61.1
Vulnerability DB:
Version: 2
UpdatedAt: 2025-04-23 06:18:39.172900945 +0000 UTC
NextUpdate: 2025-04-24 06:18:39.172900434 +0000 UTC
DownloadedAt: 2025-04-23 07:19:28.702098 +0000 UTC
...
But the question would be, is it safe to reference the tag latest-apline? Since trivy there reports those old Criticals. Sometimes, one needs the current state of master instead of waiting till next official tagged release.
It's a false positive: trivy can't detect the correct version.
I'll take a look later, but we supposedly fixed that in 2.42.1 and with the latest trivy those critical vulnerabilities disappeared.
It's generally not a good idea to reference latest (or moving tags in general).
It depends on the client whether it pulls the latest tag or uses a locally available version, so you can never be sure that latest is actually the latest available version.
Hello, I have tested with the latest trivy and those CVEs still show up:
docker run aquasec/trivy:0.62.0 image -d dexidp/dex:v2.42.1
...
Report Summary
┌────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dexidp/dex:v2.42.1 (alpine 3.21.3) │ alpine │ 0 │ - │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/dex │ gobinary │ 5 │ - │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/docker-entrypoint │ gobinary │ 1 │ - │
├────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gomplate │ gobinary │ 9 │ - │
└────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
...
Anything you can do about it?
@MoeBensu you cannot scan the latest dex image with trivy for now. In our case, trivy gets the version from ldflags, and for the latest images flags are equal to -ldflags="-w -X main.version=master -extldflags \"-static\"". In this case, trivy instead of using master takes the fake v0.0.0- version from the go buildinfo mod github.com/dexidp/dex v0.0.0-20250512145216-f7ead820a850.
For us as Dex maintainers, the only option is to set main.version to something meaningful, e.g., the next tag v2.43.0-rc.1.
You can find more about the problem in this discussion https://github.com/aquasecurity/trivy/discussions/8431
Hi, I found that latest v2.43.1 contains following vulnerabilites when scanned with Docker Scout. Is there some process you follow to fix them? Are there any plans to do so? Thank you Ivos
They should already be fixed in the main branch. We bump dependencies regularly, but issue new releases only once in two months usually.
gomplate has been bumped in main (https://github.com/dexidp/dex/pull/4224) so yeah, just need to cut a new release. Any idea of a timeline for that?
Just checking in again, can you possibly release a new patch version with the dependency bumps to close out CVEs?
The last release was in May and now it's late August
I'm going to close this issue because it seems like the topic is too broad. Open new issues with more specific descriptions fi there are still any issues left. Thanks.