Title: CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" in -alpine images · Issue #1017 · docker-library/python · GitHub
Open Graph Title: CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" in -alpine images · Issue #1017 · docker-library/python
X Title: CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" in -alpine images · Issue #1017 · docker-library/python
Description: The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them. Alpine released xz-5.6.3-r1 that fixes this vulnerability. $ docker run -it aquasec/trivy image python:3.13-alpi...
Open Graph Description: The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them. Alpine released xz-5.6.3-r1 that fixes this vulnerability. $ docker run ...
X Description: The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them. Alpine released xz-5.6.3-r1 that fixes this vulnerability. $ d...
Opengraph URL: https://github.com/docker-library/python/issues/1017
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"CVE-2025-31115 \"xz: XZ has a heap-use-after-free bug in threaded .xz decoder\" in -alpine images","articleBody":"The -alpine images have [CVE-2025-31115](https://nvd.nist.gov/vuln/detail/CVE-2025-31115) \"xz: XZ has a heap-use-after-free bug in threaded .xz decoder\" reported against them.\n\nAlpine released xz-5.6.3-r1 that fixes this vulnerability.\n\n```\n$ docker run -it aquasec/trivy image python:3.13-alpine\n2025-04-08T17:42:50Z\tINFO\t[vulndb] Need to update DB\n2025-04-08T17:42:50Z\tINFO\t[vulndb] Downloading vulnerability DB...\n2025-04-08T17:42:50Z\tINFO\t[vulndb] Downloading artifact...\trepo=\"ghcr.io/aquasecurity/trivy-db:2\"\n62.04 MiB / 62.04 MiB [-----------------------------------------------------------] 100.00% 10.33 MiB p/s 6.2s\n2025-04-08T17:42:56Z\tINFO\t[vulndb] Artifact successfully downloaded\trepo=\"ghcr.io/aquasecurity/trivy-db:2\"\n2025-04-08T17:42:56Z\tINFO\t[vuln] Vulnerability scanning is enabled\n2025-04-08T17:42:56Z\tINFO\t[secret] Secret scanning is enabled\n2025-04-08T17:42:56Z\tINFO\t[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning\n2025-04-08T17:42:56Z\tINFO\t[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection\n2025-04-08T17:42:58Z\tINFO\t[python] License acquired from METADATA classifiers may be subject to additional terms\tname=\"pip\" version=\"24.3.1\"\n2025-04-08T17:42:58Z\tINFO\tDetected OS\tfamily=\"alpine\" version=\"3.21.3\"\n2025-04-08T17:42:58Z\tWARN\tThis OS version is not on the EOL list\tfamily=\"alpine\" version=\"3.21\"\n2025-04-08T17:42:58Z\tINFO\t[alpine] Detecting vulnerabilities...\tos_version=\"3.21\" repository=\"3.21\" pkg_num=28\n2025-04-08T17:42:58Z\tINFO\tNumber of language-specific files\tnum=1\n2025-04-08T17:42:58Z\tINFO\t[python-pkg] Detecting vulnerabilities...\n2025-04-08T17:42:58Z\tWARN\tUsing severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.\n\npython:3.13-alpine (alpine 3.21.3)\n\nTotal: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)\n\n┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐\n│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │\n├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤\n│ xz-libs │ CVE-2025-31115 │ HIGH │ fixed │ 5.6.3-r0 │ 5.6.3-r1 │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │\n│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-31115 │\n└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘\n```","author":{"url":"https://github.com/candrews","@type":"Person","name":"candrews"},"datePublished":"2025-04-08T17:45:05.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/1017/python/issues/1017"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:61aa134d-3458-5598-3dec-fee241e40c2b |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | AD56:39455D:90EEEF:C349E2:6A5B4853 |
| html-safe-nonce | 53ce4c50ffa60e5b43bd18c127f24dac053ca2bf62aa75ede1b6c5589c32e3b5 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBRDU2OjM5NDU1RDo5MEVFRUY6QzM0OUUyOjZBNUI0ODUzIiwidmlzaXRvcl9pZCI6IjIwOTI1Mjc5MDY4NDk1MDc0MTEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 370e6009c4223b7169bb13bb70b991db677f277dafd4215e3a6f706eb12ee8b7 |
| hovercard-subject-tag | issue:2980523098 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/docker-library/python/1017/issue_layout |
| twitter:image | https://opengraph.githubassets.com/650c5ab4b36efc32954e7497735cf60de3d857aee8c37e2ecdd8e3218e32e9f4/docker-library/python/issues/1017 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/650c5ab4b36efc32954e7497735cf60de3d857aee8c37e2ecdd8e3218e32e9f4/docker-library/python/issues/1017 |
| og:image:alt | The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them. Alpine released xz-5.6.3-r1 that fixes this vulnerability. $ docker run ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | candrews |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5290d7e14309ad1e76106a9c4237bd1041517e83ea182c8ab756752cb0c6940b |
| turbo-cache-control | no-preview |
| go-import | github.com/docker-library/python git https://github.com/docker-library/python.git |
| octolytics-dimension-user_id | 7739233 |
| octolytics-dimension-user_login | docker-library |
| octolytics-dimension-repository_id | 21054928 |
| octolytics-dimension-repository_nwo | docker-library/python |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 21054928 |
| octolytics-dimension-repository_network_root_nwo | docker-library/python |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9c975978430e9ad293956f2bbdaf153b1bd84a99 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width