CVE-2025-61727 (UNKNOWN): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2025-61727	UNKNOWN	stdlib	v1.25.4	1.24.11, 1.25.5	2025-12-03T20:16:25.607Z	2025-12-04T10:18:50.139362119Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:c7d5f051b8902752c431af7466546ca25fdf3407fe5a0da8d7450e3a4a57cc32
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:c7d5f051b8902752c431af7466546ca25fdf3407fe5a0da8d7450e3a4a57cc32
public.ecr.aws/lambda/provided:al2	public.ecr.aws/lambda/provided@sha256:7b250ff0e1f1e39c350502efd5e409d77631262509dfc1910e72b22be9ae80b4
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:e78bfe2edd6206a58448bbeb08164c7c420fc974b38e21cefbcd8ed2e7f2d49c
public.ecr.aws/lambda/python:3.14-preview	public.ecr.aws/lambda/python@sha256:75413a55af1b3213170328c01d102f81ddbb9d8d1308132656b15a61c12925c4
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:e78bfe2edd6206a58448bbeb08164c7c420fc974b38e21cefbcd8ed2e7f2d49c
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:1f37938f6c1c1443c182ae1e0b14bcd34d2f5c55f44d974563f744f7ac141dc8
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:b4d2fef7750fe8ef8cee837b111682ac12d8d36a2b398081387362960496ed2b
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:d9ca9ef4e61752097e21ba610da5a17ef1958242a7f7df279c765093e0639427
public.ecr.aws/lambda/python:3.9	public.ecr.aws/lambda/python@sha256:6db0b91dc1198b002a94e6d88be15fe3cb339206e309681b6dbc1cdc861ccb95
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:8b777a857e5f973f76cd1dc85c8f1d3daf832cc656a8dd2d16c3d862a5ad4661
public.ecr.aws/lambda/nodejs:24-preview	public.ecr.aws/lambda/nodejs@sha256:592e7661c80b13da0a74b3fa135770c746c70b4f6084d3732afc240d56787488
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:8b777a857e5f973f76cd1dc85c8f1d3daf832cc656a8dd2d16c3d862a5ad4661
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:9e9becb3aea7d7ed09a1eb6a342f4f89936f4e037aeddcc78ea3f185b5bf4a84
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:98105684d3ae337f816d98e4245b83f0ae1de2900007b302e0cacd95f57f87c5
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:98105684d3ae337f816d98e4245b83f0ae1de2900007b302e0cacd95f57f87c5
public.ecr.aws/lambda/java:17	public.ecr.aws/lambda/java@sha256:0530382a888f1abb01663ecedeaab846b65216f1963dee95a935806a9600168f
public.ecr.aws/lambda/java:11	public.ecr.aws/lambda/java@sha256:17fca66b17e6d347c5ca1d1079622cd80b2f9c1a66a8ff2e7e660199cd9781a0
public.ecr.aws/lambda/java:8.al2	public.ecr.aws/lambda/java@sha256:1b317fa2d957a24ae756975102d7a7f20425692eaf8c356639f587c501bb4aa1
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:e80df5b68a0c38eb25ac0a8d0c3a7b3e2cd20dd75bb6a41d4921104b9e5ca095
public.ecr.aws/lambda/dotnet:10-preview	public.ecr.aws/lambda/dotnet@sha256:0dd0957bff27a917720c76da9ca963f586f7cfa9f734f3634adc3f0f1187dcaf
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:e80df5b68a0c38eb25ac0a8d0c3a7b3e2cd20dd75bb6a41d4921104b9e5ca095
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:b0d5c77ede87ca6b77a4cfdda517db035b04286e44dfdabc3b6c4838b4e6f7e0
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:ce78c22cf4ab9308759900ff17774abdc70979894c8f8ee75396964173e2fef1
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:ce78c22cf4ab9308759900ff17774abdc70979894c8f8ee75396964173e2fef1
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:b5f33ad01ea35660841aded480b53ae51505dea61d44cf2e9dc33e41b5234617
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:bbba5471af118fc742579ab427a35dd78abca6d62d53a3470c94d154fc5ced64

---

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

---

Remediation Steps

• Update the affected package stdlib from version v1.25.4 to 1.24.11, 1.25.5.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.