CVE-2025-4517 on python3.11

[forrana]

JFrog's Xray scanner reports this and other CVEs: CVE-2025-4435 CVE-2025-4330 CVE-2025-4138
Those all are coming from python3.11.12.
I know that the latest image is supposed to have 3.11.13 but, it seems it has 3.11.12 hidden somewhere as well.
I check the path and it's coming from the following hash
7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd
That is a layer from python:3.11.13-alpine image

16:16:52 #6 [linux/amd64 1/7] FROM docker.io/library/python:3.11.13-alpine@sha256:8068890a42d68ece5b62455ef327253249b5f094dcdee57f492635a40217f6a3 16:16:52 #6 resolve docker.io/library/python:3.11.13-alpine@sha256:8068890a42d68ece5b62455ef327253249b5f094dcdee57f492635a40217f6a3 0.0s done 16:16:52 #6 sha256:001a982bd46375c72e605501ad0cc9e18d462f1a1acceab0ffb36efd6ac311b7 249B / 249B 0.2s done 16:16:52 #6 sha256:7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd 16.23MB / 16.23MB 0.3s done 16:16:52 #6 sha256:6760217c9b2110cfef8eec91415fd408ce564ab368e483924d4cb963e37b31cf 460.22kB / 460.22kB 0.5s done 16:16:52 #6 sha256:fe07684b16b82247c3539ed86a65ff37a76138ec25d380bd80c869a1a4c73236 3.80MB / 3.80MB 0.5s done 16:16:52 #6 extracting sha256:fe07684b16b82247c3539ed86a65ff37a76138ec25d380bd80c869a1a4c73236 0.1s done 16:16:52 #6 extracting sha256:6760217c9b2110cfef8eec91415fd408ce564ab368e483924d4cb963e37b31cf 0.2s done 16:16:52 #6 extracting sha256:7f6e5b96bd814093e9e436fd11f5b83f83280688d0290f87954800b3a89196dd 0.5s done

If I check SBOM tab, it shows that the image has both 3.11.12 and 3.11.13

[tianon]

I cannot possibly speak for JFrog's Xray, but I'm afraid that without more information I can't really be very helpful here. I can't find any record of anything but the expected Python 3.11.13 in the image you're referring to.

You might find https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves to be helpful, especially if you're not even using the TarFile library in your Python application.