CVE-2025-31115

[RWNiezen]

In the python docker images there seems to be a vulnerability. Also It seems to be fixed by ubuntu but the images on the docker hub need an update.

liblzma5
fixed 5.4.1-0.2 --> 5.4.1-1
xz: XZ has a heap-use-after-free bug in threaded .xz decoder

https://ubuntu.com/security/CVE-2025-31115
https://nvd.nist.gov/vuln/detail/CVE-2025-31115

[petermorlion]

Could it be you're mixing two issues? I believe you're talking about CVE-2025-31115, not CVE-2025-31125 (notice "15" vs "25" at the end). The NIST links is: https://nvd.nist.gov/vuln/detail/CVE-2025-31115

[RWNiezen]

Could it be you're mixing two issues? I believe you're talking about CVE-2025-31115, not CVE-2025-31125 (notice "15" vs "25" at the end). The NIST links is: https://nvd.nist.gov/vuln/detail/CVE-2025-31115

Yes, my apologies. I updated the issue. I am referring to the issue about xz-utils.

[RWNiezen]

I was using 3.13-slim, but my trivy gave an error. I temporarily fixed it by using 3.13.2-slim-bullseye

[yosifkit]

The images are Debian based, so the fix link is https://security-tracker.debian.org/tracker/CVE-2025-31115.

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

Lucky for us, there is a debian rebuild PR open now, so the python images will be rebuilt once that is merged. It may take a day or two since we will be rebuilding all supported Docker Official images that are FROM debian:*.