python icon indicating copy to clipboard operation
python copied to clipboard
verified publisher icon docker-library

CVE-2025-4517 on python3.11

Open forrana opened this issue 6 months ago • 3 comments

JFrog's Xray scanner reports this and other CVEs: CVE-2025-4435 CVE-2025-4330 CVE-2025-4138 Those all are coming from python3.11.12. I know that the latest image is supposed to have 3.11.13 but, it seems it has 3.11.12 hidden somewhere as well. I check the path and it's coming from the following hash 7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd That is a layer from python:3.11.13-alpine image

16:16:52 #6 [linux/amd64 1/7] FROM docker.io/library/python:3.11.13-alpine@sha256:8068890a42d68ece5b62455ef327253249b5f094dcdee57f492635a40217f6a3 16:16:52 #6 resolve docker.io/library/python:3.11.13-alpine@sha256:8068890a42d68ece5b62455ef327253249b5f094dcdee57f492635a40217f6a3 0.0s done 16:16:52 #6 sha256:001a982bd46375c72e605501ad0cc9e18d462f1a1acceab0ffb36efd6ac311b7 249B / 249B 0.2s done 16:16:52 #6 sha256:7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd 16.23MB / 16.23MB 0.3s done 16:16:52 #6 sha256:6760217c9b2110cfef8eec91415fd408ce564ab368e483924d4cb963e37b31cf 460.22kB / 460.22kB 0.5s done 16:16:52 #6 sha256:fe07684b16b82247c3539ed86a65ff37a76138ec25d380bd80c869a1a4c73236 3.80MB / 3.80MB 0.5s done 16:16:52 #6 extracting sha256:fe07684b16b82247c3539ed86a65ff37a76138ec25d380bd80c869a1a4c73236 0.1s done 16:16:52 #6 extracting sha256:6760217c9b2110cfef8eec91415fd408ce564ab368e483924d4cb963e37b31cf 0.2s done 16:16:52 #6 extracting sha256:7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd 0.5s done

Image

If I check SBOM tab, it shows that the image has both 3.11.12 and 3.11.13

Image

forrana avatar Jul 01 '25 14:07 forrana

I cannot possibly speak for JFrog's Xray, but I'm afraid that without more information I can't really be very helpful here. I can't find any record of anything but the expected Python 3.11.13 in the image you're referring to.

You might find https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves to be helpful, especially if you're not even using the TarFile library in your Python application.

tianon avatar Jul 01 '25 21:07 tianon

We have observed similar issues in SonarQube, where it reports a high number of vulnerabilities in most images

chandanrattan avatar Jul 17 '25 17:07 chandanrattan

My life line is computer corse❤️❤️ And i can do it ****

  • [ ]

  • [ ] ### _👈👈👈_

shivamdubey63106-cloud avatar Aug 07 '25 04:08 shivamdubey63106-cloud