Skip to content

Vulnerabilities in Kapacitor Docker Image[v1.8.2] with Trivy Scan #849

New issue
New issue
Open
Open
Vulnerabilities in Kapacitor Docker Image[v1.8.2] with Trivy Scan#849
@sathyendranv

Description

@sathyendranv
sathyendranv
opened on Feb 13, 2026

We performed a security scan on the Kapacitor Docker image using Trivy and observed multiple vulnerabilities (including HIGH and CRITICAL severity findings). These appear to originate from base image dependencies and/or bundled packages.

We would like clarification on:

  • Whether these vulnerabilities are already known and being tracked
  • If there is a planned timeline for remediation
  • Recommended mitigation steps for production deployments

Environment

Summary of Findings

Trivy Vulnerability Scan Results (usr/bin/kapacitor)              
VulnerabilityID Severity CVSS Score Title Library Vulnerable Version Fixed Version Information URL
CVE-2025-47914 MEDIUM   golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages golang.org/x/crypto v0.36.0 0.45.0 https://avd.aquasec.com/nvd/cve-2025-47914
CVE-2025-58181 MEDIUM   golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication golang.org/x/crypto v0.36.0 0.45.0 https://avd.aquasec.com/nvd/cve-2025-58181
CVE-2025-58183 HIGH   golang: archive/tar: Unbounded allocation when parsing GNU sparse map stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-58183
CVE-2025-61726 HIGH   golang: net/url: Memory exhaustion in query parameter parsing in net/url stdlib v1.24.6 1.24.12, 1.25.6 https://avd.aquasec.com/nvd/cve-2025-61726
CVE-2025-61728 HIGH   golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip stdlib v1.24.6 1.24.12, 1.25.6 https://avd.aquasec.com/nvd/cve-2025-61728
CVE-2025-61729 HIGH   crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate stdlib v1.24.6 1.24.11, 1.25.5 https://avd.aquasec.com/nvd/cve-2025-61729
CVE-2025-61730 HIGH   During the TLS 1.3 handshake if multiple messages are sent in records  ... stdlib v1.24.6 1.24.12, 1.25.6 https://avd.aquasec.com/nvd/cve-2025-61730
CVE-2025-68121 HIGH   During session resumption in crypto/tls, if the underlying Config has  ... stdlib v1.24.6 1.24.13, 1.25.7, 1.26.0-rc.3 https://avd.aquasec.com/nvd/cve-2025-68121
CVE-2025-47912 MEDIUM   net/url: Insufficient validation of bracketed IPv6 hostnames in net/url stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-47912
CVE-2025-58185 MEDIUM   encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1 stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-58185
CVE-2025-58186 MEDIUM   golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-58186
CVE-2025-58187 MEDIUM   crypto/x509: Quadratic complexity when checking name constraints in crypto/x509 stdlib v1.24.6 1.24.9, 1.25.3 https://avd.aquasec.com/nvd/cve-2025-58187
CVE-2025-58188 MEDIUM   crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509 stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-58188
CVE-2025-58189 MEDIUM   crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-58189
CVE-2025-61723 MEDIUM   encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-61723
CVE-2025-61724 MEDIUM   net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-61724
CVE-2025-61725 MEDIUM   net/mail: Excessive CPU consumption in ParseAddress in net/mail stdlib v1.24.6 1.24.8, 1.25.2 https://avd.aquasec.com/nvd/cve-2025-61725
CVE-2025-61727 MEDIUM   golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs stdlib v1.24.6 1.24.11, 1.25.5 https://avd.aquasec.com/nvd/cve-2025-61727
Trivy Dependency Scan Results (usr/bin/kapacitor)              
ID Name Version Notes        
github.com/influxdata/kapacitor@v1.8.2 github.com/influxdata/kapacitor v1.8.2          
stdlib@v1.24.6 stdlib v1.24.6          
github.com/AlecAivazis/survey/v2@v2.2.9 github.com/AlecAivazis/survey/v2 v2.2.9          
github.com/BurntSushi/toml@v1.4.1-0.20240526193622-a339e1f7089c github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c          
github.com/andreyvit/diff@v0.0.0-20170406064948-c7f18ee00883 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883          
github.com/apache/arrow/go/v7@v7.0.1 github.com/apache/arrow/go/v7 v7.0.1          
github.com/benbjohnson/immutable@v0.3.0 github.com/benbjohnson/immutable v0.3.0          
github.com/cespare/xxhash@v1.1.0 github.com/cespare/xxhash v1.1.0          
github.com/cespare/xxhash/v2@v2.2.0 github.com/cespare/xxhash/v2 v2.2.0          
github.com/cpuguy83/go-md2man/v2@v2.0.0 github.com/cpuguy83/go-md2man/v2 v2.0.0          
github.com/dustin/go-humanize@v1.0.1 github.com/dustin/go-humanize v1.0.1          
github.com/ghodss/yaml@v1.0.0 github.com/ghodss/yaml v1.0.0          
github.com/goccy/go-json@v0.10.2 github.com/goccy/go-json v0.10.2          
github.com/gofrs/uuid@v3.3.0+incompatible github.com/gofrs/uuid v3.3.0+incompatible          
github.com/gogo/protobuf@v1.3.2 github.com/gogo/protobuf v1.3.2          
github.com/google/flatbuffers@v23.5.26+incompatible github.com/google/flatbuffers v23.5.26+incompatible          
github.com/google/go-cmp@v0.7.0 github.com/google/go-cmp v0.7.0          
github.com/influxdata/flux@v0.191.0 github.com/influxdata/flux v0.191.0          
github.com/influxdata/influx-cli/v2@v2.0.0-20210526124422-63da8eccbdb7 github.com/influxdata/influx-cli/v2 v2.0.0-20210526124422-63da8eccbdb7          
github.com/influxdata/influxdb@v1.9.6 github.com/influxdata/influxdb v1.9.6          
github.com/influxdata/influxql@v1.1.1-0.20211004132434-7e7d61973256 github.com/influxdata/influxql v1.1.1-0.20211004132434-7e7d61973256          
github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51          
github.com/mattn/go-colorable@v0.1.13 github.com/mattn/go-colorable v0.1.13          
github.com/mattn/go-isatty@v0.0.19 github.com/mattn/go-isatty v0.0.19          
github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b          
github.com/opentracing/opentracing-go@v1.2.0 github.com/opentracing/opentracing-go v1.2.0          
github.com/pkg/errors@v0.9.1 github.com/pkg/errors v0.9.1          
github.com/russross/blackfriday/v2@v2.0.1 github.com/russross/blackfriday/v2 v2.0.1          
github.com/sergi/go-diff@v1.0.0 github.com/sergi/go-diff v1.0.0          
github.com/shurcooL/sanitized_anchor_name@v1.0.0 github.com/shurcooL/sanitized_anchor_name v1.0.0          
github.com/uber/jaeger-client-go@v2.28.0+incompatible github.com/uber/jaeger-client-go v2.28.0+incompatible          
github.com/uber/jaeger-lib@v2.4.1+incompatible github.com/uber/jaeger-lib v2.4.1+incompatible          
github.com/urfave/cli/v2@v2.3.0 github.com/urfave/cli/v2 v2.3.0          
github.com/xlab/treeprint@v1.0.0 github.com/xlab/treeprint v1.0.0          
go.uber.org/atomic@v1.7.0 go.uber.org/atomic v1.7.0          
go.uber.org/multierr@v1.6.0 go.uber.org/multierr v1.6.0          
go.uber.org/zap@v1.16.0 go.uber.org/zap v1.16.0          
golang.org/x/crypto@v0.36.0 golang.org/x/crypto v0.36.0          
golang.org/x/sync@v0.12.0 golang.org/x/sync v0.12.0          
golang.org/x/sys@v0.31.0 golang.org/x/sys v0.31.0          
golang.org/x/term@v0.30.0 golang.org/x/term v0.30.0          
golang.org/x/text@v0.23.0 golang.org/x/text v0.23.0          
golang.org/x/xerrors@v0.0.0-20220907171357-04be3eba64a2 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2          
google.golang.org/protobuf@v1.33.0 google.golang.org/protobuf v1.33.0          
gopkg.in/yaml.v2@v2.4.0 gopkg.in/yaml.v2 v2.4.0          
               
Trivy Vulnerability Scan Results (usr/bin/kapacitord)            
VulnerabilityID Severity CVSS Score Title Library Vulnerable Version Fixed Version
CVE-2025-54410 LOW 5.2 github.com/moby/moby: Moby's Firewalld reload removes bridge network isolation github.com/docker/docker v27.1.1+incompatible 28.0.0
CVE-2025-63811 HIGH   An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allow ... github.com/dvsekhvalnov/jose2go v1.6.0 1.7.0
CVE-2025-10543 MEDIUM 5.3 paho.mqtt.golang: paho.mqtt.golang: Integer Overflow in UTF-8 String Encoding github.com/eclipse/paho.mqtt.golang v1.2.0 1.5.1
CVE-2022-21698 HIGH 7.5 prometheus/client_golang: Denial of service using InstrumentHandlerCounter github.com/prometheus/client_golang v1.10.0 1.11.1
CVE-2025-65637 HIGH   github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload github.com/sirupsen/logrus v1.9.0 1.8.3, 1.9.1, 1.9.3
CVE-2025-47914 MEDIUM   golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages golang.org/x/crypto v0.36.0 0.45.0
CVE-2025-58181 MEDIUM   golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication golang.org/x/crypto v0.36.0 0.45.0
CVE-2025-58183 HIGH   golang: archive/tar: Unbounded allocation when parsing GNU sparse map stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-61726 HIGH   golang: net/url: Memory exhaustion in query parameter parsing in net/url stdlib v1.24.6 1.24.12, 1.25.6
CVE-2025-61728 HIGH   golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip stdlib v1.24.6 1.24.12, 1.25.6
CVE-2025-61729 HIGH   crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate stdlib v1.24.6 1.24.11, 1.25.5
CVE-2025-61730 HIGH   During the TLS 1.3 handshake if multiple messages are sent in records  ... stdlib v1.24.6 1.24.12, 1.25.6
CVE-2025-68121 HIGH   During session resumption in crypto/tls, if the underlying Config has  ... stdlib v1.24.6 1.24.13, 1.25.7, 1.26.0-rc.3
CVE-2025-47912 MEDIUM   net/url: Insufficient validation of bracketed IPv6 hostnames in net/url stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-58185 MEDIUM   encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1 stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-58186 MEDIUM   golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-58187 MEDIUM   crypto/x509: Quadratic complexity when checking name constraints in crypto/x509 stdlib v1.24.6 1.24.9, 1.25.3
CVE-2025-58188 MEDIUM   crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509 stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-58189 MEDIUM   crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-61723 MEDIUM   encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-61724 MEDIUM   net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-61725 MEDIUM   net/mail: Excessive CPU consumption in ParseAddress in net/mail stdlib v1.24.6 1.24.8, 1.25.2
CVE-2025-61727 MEDIUM   golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs stdlib v1.24.6 1.24.11, 1.25.5

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions