Security: Critical and High CVEs found in Docker Image for piraeus-csi with version v1.8.1 #210
Description
We've performed a vulnerability scan on the container image used by the piraeus-csi pod and found one Critical and a few High severity CVEs. These are mostly inherited from the Debian base image and Go runtime used during the build.
CVE Summary
| CVE ID | Package(s) | Version | Fix Status | Severity |
|---|---|---|---|---|
| CVE-2023-31484 | perl-base |
5.36.0-7+deb12u2 | Won’t Fix (Debian) | High |
| CVE-2023-52425 | libexpat1 |
2.5.0-1+deb12u1 | Won’t Fix (Debian) | High |
| CVE-2024-8176 | libexpat1 |
2.5.0-1+deb12u1 | Won’t Fix (Debian) | High |
| CVE-2025-22871 | Go stdlib (stdlib) |
go1.24.1 | Fixed in 1.24.2 | Critical |
| CVE-2025-6020 | libpam-modules, libpam0g, etc. |
1.5.2-6+deb12u1 | Fix available | High |
| CVE-2025-5222 | libicu72 |
72.1-3 | Fixed in 72.1-3+deb12u1 | High |
| CVE-2025-22874 | Go stdlib (stdlib) |
go1.24.1 | Fixed in 1.24.4 | High |
| CVE-2025-4802 | libc-bin, libc6 |
2.36-9+deb12u10 | Won’t Fix (Debian) | High |
Build Context
We believe the image is based on Debian 12 (bookworm) and built with Go 1.24.1, based on the reported CVEs. Several of these vulnerabilities are already fixed in upstream Debian or newer Go versions.
Please let us know if a patched image is planned or available. We'd be happy to retest any newer version
Thanks for maintaining this project!