Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

bitnami-mongodb-7.0.20_linux_arm64

digestsha256:53b16c30fdf0e3e1425a33b8d363012c24314ea35f54239653f1a061a3a488be
vulnerabilitiescritical: 0 high: 2 medium: 4 low: 1
platformlinux/arm64
size207 MB
packages650
critical: 0 high: 1 medium: 2 low: 0 stdlib 1.24.3 (golang)

pkg:golang/stdlib@1.24.3
high : CVE--2025--22874

Affected range
>=1.24.0-0
<1.24.4
Fixed version1.24.4
EPSS Score0.022%
EPSS Percentile4th percentile
Description

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

medium : CVE--2025--4673

Affected range
>=1.24.0-0
<1.24.4
Fixed version1.24.4
EPSS Score0.040%
EPSS Percentile11th percentile
Description

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

medium : CVE--2025--0913

Affected range
>=1.24.0-0
<1.24.4
Fixed version1.24.4
EPSS Score0.013%
EPSS Percentile1st percentile
Description

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

critical: 0 high: 1 medium: 0 low: 0 tar-fs 2.1.2 (npm)

pkg:npm/tar-fs@2.1.2
high 8.7: CVE--2025--48387 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range
>=2.0.0
<2.1.3
Fixed version2.1.3
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score0.123%
EPSS Percentile32nd percentile
Description

Impact

v3.0.8, v2.1.2, v1.16.4 and below

Patches

Has been patched in 3.0.9, 2.1.3, and 1.16.5

Workarounds

You can use the ignore option to ignore non files/directories.

  ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}

Credit

Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

critical: 0 high: 0 medium: 2 low: 0 stdlib 1.23.9 (golang)

pkg:golang/stdlib@1.23.9
medium : CVE--2025--4673

Affected range<1.23.10
Fixed version1.23.10
EPSS Score0.040%
EPSS Percentile11th percentile
Description

Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

medium : CVE--2025--0913

Affected range<1.23.10
Fixed version1.23.10
EPSS Score0.013%
EPSS Percentile1st percentile
Description

os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

critical: 0 high: 0 medium: 0 low: 1 brace-expansion 1.1.11 (npm)

pkg:npm/brace-expansion@1.1.11
low 1.3: CVE--2025--5889 Uncontrolled Resource Consumption

Affected range
>=1.0.0
<=1.1.11
Fixed version1.1.12
CVSS Score1.3
CVSS VectorCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score0.052%
EPSS Percentile16th percentile
Description

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.