Vulnerablities in node-cache version 1.26.5

[K-Cuttler]

A few vulnerabilities are present in the mentioned version, information is below:

           PACKAGE             TYPE   VERSION   SUGGESTED FIX  CRITICAL  HIGH  MEDIUM  LOW  NEGLIGIBLE  EXPLOIT  
  github.com/coredns/coredns  golang  v1.12.2      v1.12.4        0       1      0      0       0          0     
  k8s.io/kubernetes           golang  v1.30.12    v1.31.12        0       0      3      0       0          0 

Coredns is associated with: CVE-2025-58063 and Kubernetes with CVE-2025-5187. A fix in HEAD is available for the Kubernetes version but not the coredns version. Coredns has releases an upstream version: v1.12.4 that fixes the vulnerability.

[Michcioperz]

I just want to point out that in the context of k/dns both of these should be false positives. CoreDNS's CVE-2025-58063 is concerned with the etcd plugin that is not being built in. And the only component of k8s.io/kubernetes used by this repo (as seen in https://github.com/kubernetes/dns/tree/master/vendor/k8s.io/kubernetes) is the tiny iptables library, so the CVE which relates to the behavior of kube-apiserver is also not relevant.

[K-Cuttler]

I just want to point out that in the context of k/dns both of these should be false positives. CoreDNS's CVE-2025-58063 is concerned with the etcd plugin that is not being built in. And the only component of k8s.io/kubernetes used by this repo (as seen in https://github.com/kubernetes/dns/tree/master/vendor/k8s.io/kubernetes) is the tiny iptables library, so the CVE which relates to the behavior of kube-apiserver is also not relevant.

I appreciate the clarification, that meshes with my initial investigation as well. Thank you!

[sidewinder12s]

Might try re-scanning with the just released image: #728

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten