Skip to content

[NPM] [Vulnerability] Resolve CVE-2025-40909 in perl-base Library #3922

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2025
Merged

[NPM] [Vulnerability] Resolve CVE-2025-40909 in perl-base Library #3922

merged 1 commit into from
Aug 12, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Aug 12, 2025
edited
Loading

Reason for Change:
Resolves CVE-2025-40909 in the perl-base library in NPM base Ubuntu image.

v1.6.32 (Current NPM Image):

mcr.microsoft.com/containernetworking/azure-npm:v1.6.32 (ubuntu 24.04)
======================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────┬────────────────┬──────────┬────────┬─────────────────────┬─────────────────────┬────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │  Installed Version  │    Fixed Version    │                           Title                            │
├───────────┼────────────────┼──────────┼────────┼─────────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ perl-base │ CVE-2025-40909 │ MEDIUM   │ fixed  │ 5.38.2-3.2ubuntu0.1 │ 5.38.2-3.2ubuntu0.2 │ perl: Perl threads have a working directory race condition │
│           │                │          │        │                     │                     │ where file operations...                                   │
│           │                │          │        │                     │                     │ https://avd.aquasec.com/nvd/cve-2025-40909                 │
└───────────┴────────────────┴──────────┴────────┴─────────────────────┴─────────────────────┴────────────────────────────────────────────────────────────┘

CVE Fix:

acnpublic.azurecr.io/azure-npm:v1.6.33test2 (ubuntu 24.04)
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:

Copilot AI review requested due to automatic review settings August 12, 2025 17:05
@rayaisaiah rayaisaiah added npm Related to NPM. linux labels Aug 12, 2025
@rayaisaiah rayaisaiah requested a review from a team as a code owner August 12, 2025 17:05
@rayaisaiah rayaisaiah requested a review from vakalapa August 12, 2025 17:05
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Aug 12, 2025

/azp run Azure Container Networking PR, NPM Scale Test, NPM Conformance Tests

Copilot AI reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability (CVE-2025-40909) in the perl-base library within the NPM Docker image by upgrading to a patched version and simplifying the package installation.

  • Updates perl-base from version 5.38.2-3.2ubuntu0.1 to 5.38.2-3.2ubuntu0.2 to resolve CVE-2025-40909
  • Removes several system library packages from the Docker installation to streamline the image
  • Standardizes Dockerfile syntax by capitalizing the AS keyword

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 12, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@Azure Azure deleted a comment from Copilot AI Aug 12, 2025
@Azure Azure deleted a comment from Copilot AI Aug 12, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Aug 12, 2025
Merged via the queue into release/v1.6 with commit 2a92909 Aug 12, 2025
28 of 33 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/resolve-CVE-2025-40909 branch August 12, 2025 23:36
@rayaisaiah rayaisaiah mentioned this pull request Aug 13, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vakalapa vakalapa vakalapa approved these changes

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rayaisaiah @vakalapa