Skip to content

fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file#9924

Merged
DmitriyLewen merged 1 commit intoaquasecurity:mainfrom
DmitriyLewen:vex/suppress-CVE-2025-66564
Dec 10, 2025
Merged

fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file#9924
DmitriyLewen merged 1 commit intoaquasecurity:mainfrom
DmitriyLewen:vex/suppress-CVE-2025-66564

Conversation

@DmitriyLewen
Copy link
Copy Markdown
Contributor

@DmitriyLewen DmitriyLewen commented Dec 10, 2025

Description

Trivy contains vulnerable github.com/sigstore/timestamp-authority indirect package:

┌─────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                 Library                 │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/sigstore/timestamp-authority │ CVE-2025-66564 │ HIGH     │ fixed  │ v1.2.2            │ 2.0.3           │ Sigstore Timestamp Authority is a service for issuing RFC    │
│                                         │                │          │        │                   │                 │ 3161 timesta ......                                          │
│                                         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-66564                   │
├─────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤

There is fix only for v2 version - https://pkg.go.dev/vuln/GO-2025-4192
So we can't simlply bump version for this repository.

Solution

I checked this using govulncheck:

➜  govulncheck -mode binary -format openvex ./trivy jq ' .statements[13] '
{
  "vulnerability": {
    "@id": "https://pkg.go.dev/vuln/GO-2025-4192",
    "name": "GO-2025-4192",
    "description": "Sigstore Timestamp Authority allocates excessive memory during request parsing in github.com/sigstore/timestamp-authority",
    "aliases": [
      "CVE-2025-66564",
      "GHSA-4qg8-fj49-pxjh"
    ]
  },
  "products": [
    {
      "@id": "Unknown Product",
      "subcomponents": [
        {
          "@id": "pkg:golang/github.com%2Fsigstore%2Ftimestamp-authority@v1.2.2"
        }
      ]
    }
  ],
  "status": "not_affected",
  "justification": "vulnerable_code_not_present",
  "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}

Trivy doesn't use vulnerable package, so we can add this package to our VEX file.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 10, 2025 12:16
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Dec 10, 2025
Merged via the queue into aquasecurity:main with commit 335cc99 Dec 10, 2025
13 checks passed
@DmitriyLewen DmitriyLewen deleted the vex/suppress-CVE-2025-66564 branch December 10, 2025 12:38
@aqua-bot aqua-bot mentioned this pull request Dec 10, 2025
Merged
@ca-scribner ca-scribner mentioned this pull request Dec 12, 2025
Merged
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 12, 2025
@ca-scribner
trivy, trivy-operator: Update advisory for GHSA-4qg8-fj49-pxjh
71692cd 
The vulnerable code comes from an indirect dependency and is not in the code execution path.  This is raised by upstream, who concluded they are unaffected [here](aquasecurity/trivy#9924), and was confirmed independently."
github-merge-queue Bot pushed a commit to wolfi-dev/advisories that referenced this pull request Dec 12, 2025
@ca-scribner
trivy, trivy-operator: Update advisory for GHSA-4qg8-fj49-pxjh (#27876)
0f2a51d 
The vulnerable code comes from an indirect dependency and is not in the code execution path.  This is raised by upstream, who concluded they are unaffected [here](aquasecurity/trivy#9924), and was confirmed independently."
@knqyf263
Copy link
Copy Markdown
Collaborator

knqyf263 commented Jan 7, 2026

Reference:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DmitriyLewen @knqyf263