Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

dex-v2.42.0_linux_amd64

digestsha256:10dc393947e2d04dd8c0972ccf405e6f47aba0b694af059c94aa9d249d69ae1b
vulnerabilitiescritical: 0 high: 6 medium: 11 low: 1
platformlinux/amd64
size42 MB
packages256
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.31.0 (golang)

pkg:golang/golang.org/x/crypto@0.31.0

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
EPSS Score0.090%
EPSS Percentile23rd percentile
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/oauth2 0.26.0 (golang)

pkg:golang/golang.org/x/oauth2@0.26.0

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

high : CVE--2025--22868

Affected range<0.27.0
Fixed version0.27.0
EPSS Score0.121%
EPSS Percentile28th percentile
Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.32.0 (golang)

pkg:golang/golang.org/x/crypto@0.32.0

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
EPSS Score0.090%
EPSS Percentile23rd percentile
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

critical: 0 high: 1 medium: 0 low: 0 github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/jwt@5.2.1#v5

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

high 8.7: CVE--2025--30204 Asymmetric Resource Consumption (Amplification)

Affected range
>=5.0.0-rc.1
<5.2.2
Fixed version5.2.2
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.055%
EPSS Percentile14th percentile
Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/oauth2 0.24.0 (golang)

pkg:golang/golang.org/x/oauth2@0.24.0

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

high : CVE--2025--22868

Affected range<0.27.0
Fixed version0.27.0
EPSS Score0.121%
EPSS Percentile28th percentile
Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

critical: 0 high: 1 medium: 0 low: 0 musl 1.2.5-r8 (apk)

pkg:apk/alpine/musl@1.2.5-r8?os_name=alpine&os_version=3.21

# Dockerfile (38:57)
FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS stager

RUN mkdir -p /var/dex
RUN mkdir -p /etc/dex
COPY config.docker.yaml /etc/dex/

FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS gomplate

ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT

ENV GOMPLATE_VERSION=v4.3.0

RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate

# For Dependabot to detect base image versions
FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS alpine

high : CVE--2025--26519

Affected range<1.2.5-r9
Fixed version1.2.5-r9
EPSS Score0.024%
EPSS Percentile4th percentile
Description
critical: 0 high: 0 medium: 3 low: 0 stdlib 1.23.4 (golang)

pkg:golang/stdlib@1.23.4

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

medium : CVE--2024--45341

Affected range
>=1.23.0-0
<1.23.5
Fixed version1.23.5
EPSS Score0.043%
EPSS Percentile10th percentile
Description

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.

Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

medium : CVE--2024--45336

Affected range
>=1.23.0-0
<1.23.5
Fixed version1.23.5
EPSS Score0.024%
EPSS Percentile4th percentile
Description

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com.

In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

medium : CVE--2025--22866

Affected range
>=1.23.0-0
<1.23.6
Fixed version1.23.6
EPSS Score0.023%
EPSS Percentile4th percentile
Description

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

critical: 0 high: 0 medium: 2 low: 0 openssl 3.3.2-r4 (apk)

pkg:apk/alpine/openssl@3.3.2-r4?os_name=alpine&os_version=3.21

# Dockerfile (38:57)
FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS stager

RUN mkdir -p /var/dex
RUN mkdir -p /etc/dex
COPY config.docker.yaml /etc/dex/

FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS gomplate

ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT

ENV GOMPLATE_VERSION=v4.3.0

RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate

# For Dependabot to detect base image versions
FROM alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099 AS alpine

medium : CVE--2024--12797

Affected range<3.3.3-r0
Fixed version3.3.3-r0
EPSS Score0.117%
EPSS Percentile27th percentile
Description

medium : CVE--2024--13176

Affected range<3.3.2-r5
Fixed version3.3.2-r5
EPSS Score0.075%
EPSS Percentile20th percentile
Description
critical: 0 high: 0 medium: 2 low: 0 golang.org/x/net 0.32.0 (golang)

pkg:golang/golang.org/x/net@0.32.0

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

medium : CVE--2024--45338

Affected range<0.33.0
Fixed version0.33.0
EPSS Score0.066%
EPSS Percentile17th percentile
Description

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

medium 4.4: CVE--2025--22870 Misinterpretation of Input

Affected range<0.36.0
Fixed version0.36.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score0.018%
EPSS Percentile3rd percentile
Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

critical: 0 high: 0 medium: 1 low: 1 github.com/aws/aws-sdk-go 1.55.5 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.55.5

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

medium : CVE--2020--8911

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.203%
EPSS Percentile40th percentile
Description

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

low : CVE--2020--8912

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.141%
EPSS Percentile31st percentile
Description

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

critical: 0 high: 0 medium: 1 low: 0 github.com/go-jose/go-jose/v4 4.0.4 (golang)

pkg:golang/github.com/go-jose/go-jose@4.0.4#v4

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

medium 6.9: CVE--2025--27144 Uncontrolled Resource Consumption

Affected range<4.0.5
Fixed version4.0.5
CVSS Score6.9
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score0.026%
EPSS Percentile4th percentile
Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

critical: 0 high: 0 medium: 1 low: 0 golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/net@0.34.0

# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex

medium 4.4: CVE--2025--22870 Misinterpretation of Input

Affected range<0.36.0
Fixed version0.36.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score0.018%
EPSS Percentile3rd percentile
Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

critical: 0 high: 0 medium: 1 low: 0 github.com/go-jose/go-jose/v4 4.0.2 (golang)

pkg:golang/github.com/go-jose/go-jose@4.0.2#v4

# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

medium 6.9: CVE--2025--27144 Uncontrolled Resource Consumption

Affected range<4.0.5
Fixed version4.0.5
CVSS Score6.9
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score0.026%
EPSS Percentile4th percentile
Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.