attu icon indicating copy to clipboard operation
attu copied to clipboard
Published 1 month ago verified publisher icon zilliztech

Vulnerabilities in Attu v2.5.12 dependencies

Open fmulero opened this issue 5 months ago • 0 comments

When running a trivy scan on attu v2.5.12, it reported several CVEs on the dependencies. Is it possible to update those dependencies ?

$ trivy image zilliz/attu:v2.5.12 --pkg-types library --quiet --ignore-unfixed
...
Node.js (node-pkg)

Total: 3 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │        Fixed Version        │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼───────────────────────────────────────────────────────────┤
│ brace-expansion (package.json) │ CVE-2025-5889 │ LOW      │ fixed  │ 2.0.1             │ 2.0.2, 1.1.12, 3.0.1, 4.0.1 │ brace-expansion: juliangruber brace-expansion index.js    │
│                                │               │          │        │                   │                             │ expand redos                                              │
│                                │               │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-5889                 │
├────────────────────────────────┼───────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼───────────────────────────────────────────────────────────┤
│ form-data (package.json)       │ CVE-2025-7783 │ CRITICAL │        │ 4.0.0             │ 2.5.4, 3.0.4, 4.0.4         │ Use of Insufficiently Random Values vulnerability in      │
│                                │               │          │        │                   │                             │ form-data allows ...                                      │
│                                │               │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-7783                 │
├────────────────────────────────┼───────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼───────────────────────────────────────────────────────────┤
│ on-headers (package.json)      │ CVE-2025-7339 │ LOW      │        │ 1.0.2             │ 1.1.0                       │ on-headers: on-headers vulnerable to http response header │
│                                │               │          │        │                   │                             │ manipulation                                              │
│                                │               │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-7339                 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴───────────────────────────────────────────────────────────┘

Thanks forehand

fmulero avatar Jul 24 '25 17:07 fmulero