High & Critical CVEs found in piraeus-server v1.31.0 Docker image #209
Description
High & Critical CVEs found in piraeus-server v1.31.0 Docker image
issue
While performing vulnerability scans on the piraeusdatastore/piraeus-server:v1.31.0 Docker image, we found several Critical and High severity CVEs originating from:
- The use of Go 1.22.0 as the base image
- The runtime base image
debian:bookworm-slim, which pulls in several known-vulnerable packages (some marked "won't fix")
📋 Consolidated Table of Critical & High Severity CVEs
| CVE / GHSA ID | Severity | Component | Version | Impact | Fixed In / Mitigation |
|---|---|---|---|---|---|
| CVE-2024-24790 | 🔴 Critical | Go stdlib (net/netip) |
<1.22.4 | IPv6 misclassification → IP allowlist bypass | Go ≥ 1.21.11 / 1.22.4 |
| CVE-2025-22871 | 🔴 Critical | Go stdlib (net/http) |
<1.23.8 | HTTP request smuggling (bare LF) | Go ≥ 1.23.8 |
| CVE-2025-49794 | 🔴 Critical | libxml2 | 2.9.14+dfsg-1.3~deb12u1 | Out-of-bounds write on crafted XML | 2.9.14+dfsg-1.3~deb12u2 |
| CVE-2025-49796 | 🔴 Critical | libxml2 | Same as above | Use-after-free in XML parser | Same as above |
| GHSA-24rp-q3w6-vc56 | 🔴 Critical | postgresql JDBC | 42.5.4 | Deserialization RCE via PGobject |
42.5.5 |
| CVE-2023-45288 | 🟠 High | Go stdlib (net/http) |
<1.22.2 | Path traversal on Windows | Go ≥ 1.21.9 / 1.22.2 |
| CVE-2024-24784 | 🟠 High | Go stdlib (net/http) |
<1.22.1 | Host header injection | Go ≥ 1.21.8 / 1.22.1 |
| CVE-2023-2953 | 🟠 High | libldap | 2.5.13+dfsg-5 | Heap buffer overflow | No fix (Debian: WNF) |
| CVE-2023-31484 | 🟠 High | perl-base | 5.36.0 | Insecure env handling → code exec | No fix (Debian: WNF) |
| CVE-2023-52425 | 🟠 High | libexpat | 2.5.0-1+deb12u1 | XML DoS via crafted input | Upgrade to fixed version |
| CVE-2024-8176 | 🟠 High | libexpat | Same as above | XML crash on malformed input | Upgrade available |
| CVE-2024-24791 | 🟠 High | Go stdlib | <1.22.5 | DoS via improper HTTP/2 error handling | Go ≥ 1.21.12 / 1.22.5 |
| CVE-2024-25062 | 🟠 High | libxml2 | Same as above | Out-of-bounds write | 2.9.14+dfsg-1.3~deb12u2 |
| CVE-2024-34459 | 🟠 High | libxml2 | Same as above | Use-after-free | Same as above |
| CVE-2024-34156 | 🟠 High | Go stdlib | <1.23.1 | HTTP header smuggling risk | Go ≥ 1.22.7 / 1.23.1 |
| GHSA-vmq6-5m68-f53m | 🟠 High | logback-classic/core | 1.3.8 | RCE via Groovy config injection | 1.3.12 |
| GHSA-264p-99wq-f4j6 | 🟠 High | ion-java | 1.0.2 | DoS via large memory allocation | Upgrade recommended |
| GHSA-735f-pc8j-v9w8 | 🟠 High | protobuf-java | 3.25.0 | DoS via crafted message parsing | ≥ 3.25.5 |
| GHSA-4g8c-wm8x-jfhw | 🟠 High | netty-handler | 4.1.97.Final | DoS via compression flaw | 4.1.118.Final |
| GHSA-xpw8-rcwv-8f8p | 🟠 High | netty-codec-http2 | 4.1.97.Final | DoS via crafted headers | 4.1.100.Final |
✅ Recommendations
- Upgrade Go to at least
golang:1.22.7or later - Switch to distroless or scratch image (if
piraeus-serveris statically linked) - If Debian is still preferred, run
apt-get upgradeduring image build - Pin and update vulnerable dependencies like
protobuf,netty,logback,ion-java
🚨 Request for Early Fix
We request the maintainers to prioritize and deliver a patch release that includes updated base images and dependency versions to resolve these CVEs. This is critical for teams using piraeus-server in production environments where CVE compliance and security posture are actively enforced.
Please let us know if you'd like us to attach our scan reports or help verify the fixed image. We greatly appreciate the project and look forward to a secured release!