Skip to content

Fix CVE-2025-22874 #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

Fix CVE-2025-22874 #262

merged 1 commit into from
Sep 19, 2025
+1 −1

Conversation

jnmt
Copy link
Collaborator

@jnmt jnmt commented Sep 17, 2025
edited
Loading

Description

This PR fixes CVE-2025-22874. We need to upgrade grpc_health_probe manually since the dependabot does not cover this kind of check for binary.

Related issues and/or PRs

N/A

Changes made

Checklist

The following is a best-effort checklist. If any items in this checklist are not applicable to this PR or are dependent on other, unmerged PRs, please still mark the checkboxes after you have read and understood each item.

  • I have commented my code, particularly in hard-to-understand areas.
  • I have updated the documentation to reflect the changes.
  • I have considered whether similar issues could occur in other products, components, or modules if this PR is for bug fixes.
  • Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
  • Tests (unit, integration, etc.) have been added for the changes.
  • My changes generate no new warnings.
  • Any dependent changes in other PRs have been merged and published.

Additional notes (optional)

N/A

Release notes

Fixed CVE-2025-22874.

@jnmt jnmt self-assigned this Sep 17, 2025
@jnmt jnmt added the bugfix label Sep 17, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 17, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @jnmt, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is focused on enhancing the security posture of the application by patching a known vulnerability. It specifically targets CVE-2025-22874, which is mitigated by updating the grpc_health_probe binary to its latest secure version. This proactive measure ensures the system remains protected against potential exploits related to this vulnerability.

Highlights

  • Security Vulnerability Fix: This pull request addresses and resolves CVE-2025-22874 by upgrading the grpc_health_probe dependency to a secure version.
  • Dependency Upgrade: The grpc_health_probe tool has been manually updated from version v0.4.38 to v0.4.40 within the ledger/Dockerfile to mitigate the identified vulnerability.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 18, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses the security vulnerability GHSA-6f52-wpx2-hvf2 by upgrading grpc_health_probe from v0.4.38 to v0.4.40 in the Dockerfile. The change is straightforward and effectively resolves the issue. I have included one suggestion to enhance maintainability by documenting the reason for this version pin directly within the Dockerfile.

ledger/Dockerfile
FROM docker.io/busybox:1.36 AS tools

ENV GRPC_HEALTH_PROBE_VERSION v0.4.38
ENV GRPC_HEALTH_PROBE_VERSION v0.4.40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For better maintainability, it's helpful to add a comment explaining why this specific version is pinned. This provides context for future developers, especially since this change is for a security fix.

# Pin to v0.4.40 to address CVE-2024-22874 (GHSA-6f52-wpx2-hvf2)
ENV GRPC_HEALTH_PROBE_VERSION v0.4.40

@jnmt jnmt requested review from choplin and feeblefakie September 18, 2025 00:01
choplin
choplin approved these changes Sep 18, 2025
View reviewed changes
Copy link

@choplin choplin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@feeblefakie feeblefakie merged commit 35b935a into master Sep 19, 2025
10 checks passed
@feeblefakie feeblefakie deleted the fix-CVE-2025-22874 branch September 19, 2025 02:48
This was referenced Sep 19, 2025
Merged
Merged
Merged
Merged
jnmt added a commit that referenced this pull request Sep 19, 2025
@jnmt
Fix CVE-2025-22874 (#262)
8748ec4
jnmt added a commit that referenced this pull request Sep 19, 2025
@jnmt
Fix CVE-2025-22874 (#262)
d083cb8
jnmt added a commit that referenced this pull request Sep 19, 2025
@jnmt
Fix CVE-2025-22874 (#262)
aa2c306
jnmt added a commit that referenced this pull request Sep 19, 2025
@jnmt
Fix CVE-2025-22874 (#262)
f035302
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@choplin choplin choplin approved these changes

@feeblefakie feeblefakie feeblefakie approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@jnmt jnmt

Labels
bugfix dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jnmt @choplin @feeblefakie