Critical CVE in registry:3.0.0

[wkbrd]

The registry:3.0.0 has a Critical CVE:

CVE-2025-22871
golang / stdlib / 1.23.7

https://hub.docker.com/layers/library/registry/3.0.0/images/sha256-61349442e9c3dc07fd06ffa6a4b622bc28960952b6b3adafcb58fa268ce92e70

This is showing on GitHub as well as with tools, such as Grype.

Can this be fixed?

[tianon]

I verified this still shows up with govulncheck (so it's "real", although I'm not sure how realistic it is as an actual attack vector, especially given the only place the registry really uses chunked encoding to my knowledge is blob uploads where the contents get digest-verified anyhow) 😞

[wkbrd]

This CVE continues to appear in scan reports for registry 3.0.0. Can an updated registry container be authored that utilizes updated dependencies that would resolve this CVE? According to the CVE, it has been addressed in the underlying library.