Cybersecurity Vulnerabilities

CVE-2025-65965: Critical Grype Vulnerability Leaks Registry Credentials

November 25, 2025 - By 

Overview

A credential disclosure vulnerability, identified as CVE-2025-65965, has been discovered in Grype, a popular vulnerability scanner for container images and filesystems. This vulnerability affects versions 0.68.0 through 0.104.0. When using the --file or --output json=<file> options, Grype inadvertently includes registry credentials within the output file, potentially exposing sensitive information.

Technical Details

The vulnerability stems from improper sanitization of registry credentials when writing Grype’s output to a file. Specifically, if registry credentials are defined (e.g., via environment variables or configuration files), the credentials are included in plain text within the JSON output file created using the --file or --output json=<file> options. This can lead to unauthorized access to container registries if the output file is compromised or inadvertently shared.

The fix involves properly sanitizing these credentials before writing the output to the file. The problematic code has been addressed in the patch.

CVSS Analysis

Currently, the CVSS score for CVE-2025-65965 is not available (N/A). However, given the potential for sensitive credential exposure, it is likely to be rated as a High or Critical severity vulnerability once a score is assigned. We recommend prioritizing patching based on the potential impact to your environment.

Possible Impact

Successful exploitation of this vulnerability could have severe consequences, including:

  • Unauthorized access to container registries: Compromised credentials could allow attackers to pull, push, and modify container images, potentially injecting malicious code into your environment.
  • Data breaches: If the compromised registry contains sensitive data, attackers could gain access to it.
  • Supply chain attacks: Attackers could use compromised credentials to inject vulnerabilities into base images, impacting downstream users of those images.

Mitigation or Patch Steps

The vulnerability has been patched in Grype version 0.104.1. We strongly recommend upgrading to this version as soon as possible.

To mitigate the risk before upgrading, use the following workaround:

  • Redirect the standard output (stdout) to a file instead of using the --file or --output json=<file> options. For example: grype > output.txt or grype --output json | jq . > output.json. This bypasses the vulnerable code path.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *