Multiple CRITICAL and HIGH CVEs in postgis/postgis:16-3.5-alpine (Go stdlib via gosu, Alpine pkgdb)

[ChrisMcCarthyDev]

postgis/postgis:16-3.5-alpine (latest pull as of 20 February 2026)

Description

Security scanning (Anchore) of the 16-3.5-alpine image identifies multiple CRITICAL and HIGH severity CVEs across two categories: Go standard library vulnerabilities in the bundled gosu binary, and Alpine OS package vulnerabilities reported via pkgdb. None of these have upstream fixes available at this time.

This is blocking a production deployment in an environment with strict container security policies (enforces zero CRITICAL/HIGH CVEs in production).

I'm aware of #415 which covers similar Go stdlib issues in the 15-3.5 image. This issue is specific to the 16-3.5-alpine tag and includes additional Alpine pkgdb findings.

Go stdlib (via /usr/local/bin/gosu)

CVE	Severity
CVE-2025-68121	CRITICAL
CVE-2025-61723	HIGH
CVE-2025-61725	HIGH
CVE-2025-61726	HIGH
CVE-2025-58188	HIGH
CVE-2025-58187	HIGH
CVE-2025-61729	HIGH
CVE-2025-61731	HIGH
CVE-2025-61732	HIGH

These would be resolved by rebuilding gosu with Go 1.24.13 or later.

Alpine pkgdb

CVE	Severity
CVE-2025-48072	CRITICAL
CVE-2025-54874	CRITICAL
CVE-2025-48071	HIGH
CVE-2025-64181	HIGH
CVE-2025-64182	HIGH
CVE-2025-64183	HIGH
CVE-2024-1013	HIGH
CVE-2023-52356	HIGH

Request

Could the Alpine-based images be rebuilt with:

• An updated gosu binary compiled with Go >= 1.24.13
• Updated Alpine base packages where fixes are available

I appreciate that some of these (particularly the pkgdb entries) may be waiting on Alpine upstream. Any visibility on rebuild timelines or workarounds would be helpful.

Environment

• Scanner: Anchore
• Image: postgis/postgis:16-3.5-alpine
• Platform: linux/amd64
• Pulled: 20 February 2026

[ImreSamu]

Thank you for your report.

In 16-3.5/alpine/Dockerfile we use postgres:16-alpine3.22 as the base image. That image ships the upstream gosu binary from the tianon/gosu project (we do not build or vendor gosu separately in this repository).

To double-check the finding, I ran govulncheck against the gosu binary currently present in postgis/postgis:16-3.5-alpine. Result: No vulnerabilities found (with the current vuln.go.dev database).

docker run -i --rm postgis/postgis:16-3.5-alpine bash -s <<'EOF'
  wget -q https://go.dev/dl/go1.26.0.linux-amd64.tar.gz
  tar -C /usr/local -xzf go1.26.0.linux-amd64.tar.gz
  export PATH=$PATH:/usr/local/go/bin
  go install golang.org/x/vuln/cmd/govulncheck@latest
  /root/go/bin/govulncheck -version
  which gosu
  ls -la /usr/local/bin/gosu
  /usr/local/bin/gosu -v
  /root/go/bin/govulncheck -mode=binary /usr/local/bin/gosu  
EOF

Log:

$ docker run -i --rm postgis/postgis:16-3.5-alpine bash -s <<'EOF'
>   wget -q https://go.dev/dl/go1.26.0.linux-amd64.tar.gz
>   tar -C /usr/local -xzf go1.26.0.linux-amd64.tar.gz
>   export PATH=$PATH:/usr/local/go/bin
>   go install golang.org/x/vuln/cmd/govulncheck@latest
>   /root/go/bin/govulncheck -version
>   which gosu
>   ls -la /usr/local/bin/gosu
>   /usr/local/bin/gosu -v
>   /root/go/bin/govulncheck -mode=binary /usr/local/bin/gosu  
> EOF
go: downloading golang.org/x/vuln v1.1.4
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/tools v0.29.0
go: downloading golang.org/x/mod v0.22.0
go: downloading golang.org/x/sync v0.10.0
Go: go1.26.0
Scanner: govulncheck@v1.1.4
DB: https://vuln.go.dev
DB updated: 2026-02-19 17:28:55 +0000 UTC

No vulnerabilities found.
/usr/local/bin/gosu
-rwxr-xr-x    1 root     root       1769900 Feb 12 21:05 /usr/local/bin/gosu
1.19 (go1.24.6 on linux/amd64; gc)
=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 16
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

References:

• Upstream postgres repo issues related to gosu: https://github.com/search?q=repo%3Adocker-library%2Fpostgres+gosu&type=issues
  • Critical & High Security vulnerability issue with Trivy Scan in postgres 16 docker-library/postgres#1297 (comment)
• gosu security policy: https://github.com/tianon/gosu/blob/master/SECURITY.md
• govulncheck reporting discussion in Anchore/Syft: Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go anchore/syft#2770
• Tutorial: Find and fix vulnerable dependencies with govulncheck: https://go.dev/doc/tutorial/govulncheck

[ImreSamu]

This is blocking a production deployment in an environment with strict container security policies (enforces zero CRITICAL/HIGH CVEs in production).

As a temporary workaround, you can replace the gosu (1.19) binary in postgis/postgis:16-3.5-alpine with the gosu (1.17) package from alpine:3.23, which is currently built with a newer Go toolchain (and clears the Go-stdlib CVEs in common scanners).

#10 0.202 gosu 1.19 (go1.24.6 on linux/amd64; gc) original
#10 0.202 gosu 1.17 (go1.25.7 on linux/amd64; gc) imported from alpine:3.23

FROM alpine:3.23 AS gosu-from-alpine3.23
RUN apk add gosu && gosu --version && which gosu
# -------------------
FROM postgis/postgis:16-3.5-alpine
RUN gosu --version \
    && which gosu \
    && echo "gosu $(gosu --version) original" >> /_changes.txt
COPY --from=gosu-from-alpine3.23 /usr/bin/gosu  /usr/local/bin/gosu
RUN gosu --version \
    && gosu nobody true \
    && echo "gosu $(gosu --version) imported from alpine:3.23" >> /_changes.txt \
    && cat /_changes.txt
LABEL description="postgis/postgis:16-3.5-alpine with updated gosu from alpine:3.23"

Tested with

docker build --progress=plain --no-cache  -t postgis/postgis:16-3.5-alpine-gosu .
trivy image --ignore-unfixed postgis/postgis:16-3.5-alpine-gosu

log:

#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 601B done
#1 DONE 0.0s

#2 [internal] load metadata for docker.io/library/alpine:3.23
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/postgis/postgis:16-3.5-alpine
#3 DONE 0.0s

#4 [internal] load .dockerignore
#4 transferring context: 2B done
#4 DONE 0.0s

#5 [gosu-from-alpine3.23 1/2] FROM docker.io/library/alpine:3.23
#5 CACHED

#6 [stage-1 1/4] FROM docker.io/postgis/postgis:16-3.5-alpine
#6 CACHED

#7 [stage-1 2/4] RUN gosu --version     && which gosu     && echo "gosu $(gosu --version) original" >> /_changes.txt
#7 0.305 1.19 (go1.24.6 on linux/amd64; gc)
#7 0.306 /usr/local/bin/gosu
#7 DONE 0.3s

#8 [gosu-from-alpine3.23 2/2] RUN apk add gosu && gosu --version && which gosu
#8 1.070 (1/1) Installing gosu (1.17-r17)
#8 1.154 Executing busybox-1.37.0-r30.trigger
#8 1.162 OK: 11.1 MiB in 17 packages
#8 1.206 1.17 (go1.25.7 on linux/amd64; gc)
#8 1.207 /usr/bin/gosu
#8 DONE 1.2s

#9 [stage-1 3/4] COPY --from=gosu-from-alpine3.23 /usr/bin/gosu  /usr/local/bin/gosu
#9 DONE 0.1s

#10 [stage-1 4/4] RUN gosu --version     && gosu nobody true     && echo "gosu $(gosu --version) imported from alpine:3.23" >> /_changes.txt     && cat /_changes.txt
#10 0.192 1.17 (go1.25.7 on linux/amd64; gc)
#10 0.202 gosu 1.19 (go1.24.6 on linux/amd64; gc) original
#10 0.202 gosu 1.17 (go1.25.7 on linux/amd64; gc) imported from alpine:3.23
#10 DONE 0.2s

#11 exporting to image
#11 exporting layers 0.0s done
#11 writing image sha256:c2c5e09dd6c06d42143c9280c2369466cad14ab69ba431f89c6657daa25df342 done
#11 naming to docker.io/postgis/postgis:16-3.5-alpine-gosu done
#11 DONE 0.1s
2026-02-21T01:40:12+01:00	INFO	[vuln] Vulnerability scanning is enabled
2026-02-21T01:40:12+01:00	INFO	[secret] Secret scanning is enabled
2026-02-21T01:40:12+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-02-21T01:40:12+01:00	INFO	[secret] Please see https://trivy.dev/docs/v0.69/guide/scanner/secret#recommendation for faster secret detection
2026-02-21T01:40:17+01:00	INFO	Detected OS	family="alpine" version="3.22.3"
2026-02-21T01:40:17+01:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.22" repository="3.22" pkg_num=118
2026-02-21T01:40:17+01:00	INFO	Number of language-specific files	num=1
2026-02-21T01:40:17+01:00	INFO	[gobinary] Detecting vulnerabilities...

Report Summary

┌────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                       Target                       │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ postgis/postgis:16-3.5-alpine-gosu (alpine 3.22.3) │  alpine  │        0        │    -    │
├────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gosu                                 │ gobinary │        0        │    -    │
└────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Alternatively, you can build your own gosu 1.19 binary (see https://github.com/tianon/gosu/blob/master/Dockerfile ) with an updated Go toolchain, and replace /usr/local/bin/gosu in a derived image. (Requires minimal Go knowledge.)