Skip to content

Fix CVE-2025-40909: Update perl-base to version 5.38.2-3.2ubuntu0.2 in NPM image #3924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix CVE-2025-40909: Update perl-base to version 5.38.2-3.2ubuntu0.2 in NPM image #3924

wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Aug 12, 2025
edited
Loading

This PR resolves CVE-2025-40909, a medium-severity security vulnerability in the perl-base library affecting the NPM container image.

Issue

The current NPM image built from npm/linux.Dockerfile contains perl-base version 5.38.2-3.2ubuntu0.1, which has a race condition vulnerability where Perl threads can have working directory race conditions affecting file operations.

Solution

Updated the package installation in npm/linux.Dockerfile to explicitly install the fixed version perl-base=5.38.2-3.2ubuntu0.2, which resolves the security vulnerability.

Changes

  • Added perl-base=5.38.2-3.2ubuntu0.2 to the existing apt-get install command in line 11 of npm/linux.Dockerfile
  • This ensures the container uses the patched version that fixes the race condition

Security Impact

  • CVE ID: CVE-2025-40909
  • Severity: Medium
  • Component: perl-base library
  • Fix: Updates from vulnerable version 5.38.2-3.2ubuntu0.1 to patched version 5.38.2-3.2ubuntu0.2
  • Issue: Race condition in Perl threads affecting file operations

The change is minimal and surgical, affecting only the specific package version needed to resolve the security vulnerability without impacting any application functionality.

Fixes #3923.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • centralus.data.mcr.microsoft.com

If you need me to access, download, or install something from one of these locations, you can either:

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copy link
Contributor Author

Copilot AI commented Aug 12, 2025

@rayaisaiah 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot AI changed the title [WIP] NPM Image CVE: Resolve CVE-2025-40909 in the perl-base Library Fix CVE-2025-40909: Update perl-base to version 5.38.2-3.2ubuntu0.2 in NPM image Aug 12, 2025
Copilot AI requested a review from rayaisaiah August 12, 2025 17:28
Copilot finished work on behalf of rayaisaiah August 12, 2025 17:28
@rayaisaiah rayaisaiah closed this Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rayaisaiah rayaisaiah Awaiting requested review from rayaisaiah

Assignees

@rayaisaiah rayaisaiah

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NPM Image CVE: Resolve CVE-2025-40909 in the perl-base Library

2 participants

@rayaisaiah