CVE-2022-25881

[hafeyang]

https://nvd.nist.gov/vuln/detail/CVE-2022-25881

http-cache-semantics package should upgrade from 4.1.0 to 4.1.1

[apaniban]

We're affected by this too! Could someone help us create a patch ☺️

[apaniban]

Do we have any updates regarding this? ☺️ Thank you!

[theGOTOguy]

This is not an issue with Alpine, this is an issue with Node's node-alpine images.

To verify, first brew install trivy, then:

$ trivy image alpine:3.17
2023-02-21T04:04:02.910-0500	INFO	Vulnerability scanning is enabled
2023-02-21T04:04:02.910-0500	INFO	Secret scanning is enabled
2023-02-21T04:04:02.910-0500	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-21T04:04:02.910-0500	INFO	Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-21T04:04:03.997-0500	INFO	Detected OS: alpine
2023-02-21T04:04:03.997-0500	INFO	Detecting Alpine vulnerabilities...
2023-02-21T04:04:03.999-0500	INFO	Number of language-specific files: 0

alpine:3.17 (alpine 3.17.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Whereas:

$ trivy image node:18-alpine
2023-02-21T04:05:28.357-0500	INFO	Vulnerability scanning is enabled
2023-02-21T04:05:28.357-0500	INFO	Secret scanning is enabled
2023-02-21T04:05:28.357-0500	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-21T04:05:28.357-0500	INFO	Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-21T04:05:29.529-0500	INFO	Detected OS: alpine
2023-02-21T04:05:29.529-0500	INFO	Detecting Alpine vulnerabilities...
2023-02-21T04:05:29.531-0500	INFO	Number of language-specific files: 1
2023-02-21T04:05:29.532-0500	INFO	Detecting node-pkg vulnerabilities...

node:18-alpine (alpine 3.17.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-02-21T04:05:29.537-0500	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                       Title                       │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH     │ 4.1.0             │ 4.1.1         │ CVE-2022-25881 affecting package nodejs 16.18.1-2 │
│                                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25881        │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

It appears that a PR is waiting for approval that will fix this.

[PhantomRay]

@apaniban in your Dockerfile, use this as a workaround:

RUN npm i -g npm

[nuhasha]

I would add to what @PhantomRay mentioned:

in your Dockerfile

RUN npm install -g npm@9.5.0 && apk del npm
Make sure to remove the old npm installation by adding apk del npm
I used npm v.9.5.0 as its compatible with node.js 18.14.1-r0 that is used by apline3.17