Skip to content

Add apk upgrade to fix OpenSSL CVEs in cached base image#91

Merged
mendhak merged 1 commit intomendhak:masterfrom
willyguggenheim:fix/dockerfile-vuln-remediation
Feb 6, 2026
Merged

Add apk upgrade to fix OpenSSL CVEs in cached base image#91
mendhak merged 1 commit intomendhak:masterfrom
willyguggenheim:fix/dockerfile-vuln-remediation

Conversation

@willyguggenheim
Copy link
Contributor

@willyguggenheim willyguggenheim commented Feb 6, 2026

Summary

  • Add apk upgrade --no-cache to the final stage to ensure OS packages are current even when Docker layer cache serves a stale node:22-alpine base image

Motivation

The published Docker Hub image (mendhak/http-https-echo:latest) is on Alpine 3.23.2 with OpenSSL 3.5.4-r0 which has 2 CRITICAL and 4 HIGH CVEs:

  • CVE-2025-15467 (CRITICAL) - Remote code execution or DoS via oversized initialization vectors
  • CVE-2025-69419 (HIGH) - Arbitrary code execution via out-of-bounds write in PKCS#12 processing
  • CVE-2025-69421 (HIGH) - DoS via malformed PKCS#12 file processing

These are fixed in OpenSSL 3.5.5-r0 (Alpine 3.23.3). The apk upgrade ensures the fix is picked up regardless of base image cache age.

Change

One-line addition to the existing RUN command in the final stage:

-RUN rm -rf /usr/local/lib/node_modules
+RUN apk upgrade --no-cache && rm -rf /usr/local/lib/node_modules

Test plan

  • Local build with --no-cache succeeds
  • Trivy image scan: 0 HIGH/CRITICAL across all targets
  • Confirmed Docker Hub image (mendhak/http-https-echo:latest) has the 6 OpenSSL findings without this fix

@willyguggenheim
Add apk upgrade to fix OpenSSL CVEs in cached base image
634cac3 
The node:22-alpine base image may serve stale OS packages when built
with Docker layer cache. Adding apk upgrade ensures libcrypto3/libssl3
are updated to 3.5.5-r0, resolving CVE-2025-15467, CVE-2025-69419,
and CVE-2025-69421.
@mendhak mendhak merged commit f9148d5 into mendhak:master Feb 6, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mendhak mendhak mendhak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@willyguggenheim @mendhak