CVE-2025-29087 sqlite

[spels47]

https://avd.aquasec.com/nvd/2025/cve-2025-29087/

https://hub.docker.com/layers/library/python/alpine3.21/images/sha256-97ddd224af57478df8d36e0636b2a117174f7237dbf230bb181a33e7a36ad654

python:alpine3.21 has a vulnerable sqlite package installed, and was wondering if someone could update it and maybe look into other vulnerabilities that is listed in docker hub?

[tianon]

Looking at the latest version of the python:alpine3.21 tag, it appears to have zero? 🤔 Is it possible you have an outdated link?

https://hub.docker.com/layers/library/python/alpine3.21/images/sha256-819d87d5cee7a93d6ad250094d749210b33274de0b51192a1b96a49bf8a64f45

(tag-specific links to Docker Hub aren't always the most reliable thing 🙈)

[spels47]

the vulnerability we care most about is the one in the aqua database. We run scans using other tools in our pipelines for vulnerabilities and it flagged the sqlite package as having this vulnerability, you can see in the first link in my comment, if the package is between version 3.44.0 (including) and 3.49.1 (excluding) then it is exposed to that vulnerability. I was wondering if you could look into changing the version on the sql package? it would help us greatly as we cant make any releases with high or critical vulnerabilities in our used images.

[spels47]

as for the url thing, yeah it seems to be a bit weird, the url you provided showed no vulnerabilities, and a different version of the sql package, still within that span i mentioned, but not the same either.

[yosifkit]

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

The fixed version of SQLite for Alpine 3.21 is 3.48.0-r1 (https://security.alpinelinux.org/vuln/CVE-2025-29087). The python:alpine3.21 image currently contains 3.48.0-r0. The image will be rebuilt when either the base image changes or if the Dockerfile (build context) changes.

I don't see how this vulnerability is a major security concern that warrants an immediate, labor-intensive rebuild as it is only when using the concat_ws SQL function on a SQLite database and only then if the attacker controls the separator argument.

🔨 If users need updated packages sooner, then they should apk upgrade in their own images FROM python:*-alpine.