Snyk - Open Source Security

Snyk test report

November 30th 2025, 12:27:35 am (UTC+00:00)

Scanned the following path:
  • public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis (apk)
2 known vulnerabilities
10 vulnerable dependency paths
22 dependencies
Project docker-image|public.ecr.aws/docker/library/redis
Path public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis
Package Manager apk

CVE-2025-46394

low severity
  • Package Manager: alpine:3.22
  • Vulnerable module: busybox/busybox
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19

Detailed paths

  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/busybox@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine alpine-baselayout/alpine-baselayout@3.7.0-r0 busybox/busybox-binsh@1.37.0-r19 busybox/busybox@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/busybox-binsh@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine alpine-baselayout/alpine-baselayout@3.7.0-r0 busybox/busybox-binsh@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/ssl_client@1.37.0-r19

NVD Description

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. See How to fix? for Alpine:3.22 relevant fixed versions and status.

In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

Remediation

Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

References

More about this vulnerability

CVE-2024-58251

low severity
  • Package Manager: alpine:3.22
  • Vulnerable module: busybox/busybox
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19

Detailed paths

  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/busybox@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine alpine-baselayout/alpine-baselayout@3.7.0-r0 busybox/busybox-binsh@1.37.0-r19 busybox/busybox@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/busybox-binsh@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine alpine-baselayout/alpine-baselayout@3.7.0-r0 busybox/busybox-binsh@1.37.0-r19
  • Introduced through: docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine busybox/ssl_client@1.37.0-r19

NVD Description

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. See How to fix? for Alpine:3.22 relevant fixed versions and status.

In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

Remediation

Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

References

More about this vulnerability