fix(docs): ignore CVE-2025-60876 for mdx-bundler container scan (#6180)

github-actions[bot] · devin-ai-integration[bot] · davidkonigsberg · web-flow · commit a3a4f71785b2 · 2026-01-01T12:07:29.000-05:00
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
Co-authored-by: David Konigsberg &lt;72822263+davidkonigsberg@users.noreply.github.com&gt;
diff --git a/.github/workflows/dependabot-alerts-to-prs.yml b/.github/workflows/dependabot-alerts-to-prs.yml
@@ -425,7 +425,11 @@ jobs:
           container_name: mdx-bundler
           github_token: ${{ secrets.GITHUB_TOKEN }}
           slack_token: ${{ secrets.DEVIN_AI_PR_BOT_SLACK_TOKEN }}
-          ignored_cves: ""
+          # CVE-2025-60876: BusyBox wget HTTP request smuggling vulnerability
+          # No upstream fix available (busybox 1.37.0-r50)
+          # Risk accepted: mdx-bundler uses GNU wget (installed via apk) which shadows busybox wget
+          ignored_cves: |
+            CVE-2025-60876
 
   create-grype-pr-self-hosted:
     name: Run grype scan - self-hosted
diff --git a/servers/mdx-bundler/Dockerfile b/servers/mdx-bundler/Dockerfile
@@ -16,7 +16,8 @@ RUN npm install
 # Final stage: use Chainguard Wolfi base for security
 FROM cgr.dev/chainguard/wolfi-base:latest
 
-# Install Node.js, npm, and wget (needed for health checks)
+# Install Node.js, npm, and GNU wget (needed for health checks)
+# GNU wget is explicitly installed to avoid CVE-2025-60876 in busybox wget
 RUN apk add --no-cache nodejs npm wget
 
 WORKDIR /mdx-bundler
