Multiple HIGH CVEs found in Dockerfile (/usr/local/bin/argocd): expr-lang/expr and golang-stdlib vulnerabilitiesΒ #25877
Description
Event to be logged
Multiple high-severity CVEs have been identified in the Dockerfile for /usr/local/bin/argocd:
| CVE | Severity | CVSS | Package | Patched in | Current | Disclosure | Exploitable? | Fix available | Type |
| CVE-2025-68156| HIGH | 7.5 | github.com/expr-lang/expr | 1.17.7 | 1.17.6 | 12/17/2025 | false | LIBRARY | /usr/local/bin/argocd |
| CVE-2025-58187| HIGH | 7.5 | golang-stdlib | 1.25.3 | 1.25.0 | 11/1/2025 | true | LIBRARY | /usr/local/bin/argocd |
| CVE-2025-58188| HIGH | 7.5 | golang-stdlib | 1.25.2 | 1.25.0 | 11/1/2025 | true | LIBRARY | /usr/local/bin/argocd |
| CVE-2025-61723| HIGH | 7.5 | golang-stdlib | 1.25.2 | 1.25.0 | 11/1/2025 | true | LIBRARY | /usr/local/bin/argocd |
| CVE-2025-61725| HIGH | 7.5 | golang-stdlib | 1.25.2 | 1.25.0 | 11/1/2025 | true | LIBRARY | /usr/local/bin/argocd |
| CVE-2025-61729| HIGH | 7.5 | golang-stdlib | 1.25.5 | 1.25.0 | 12/4/2025 | true | LIBRARY | /usr/local/bin/argocd |
Impact:
These vulnerabilities may allow attackers to exploit flaws in the code, potentially leading to privilege escalation, remote code execution, or other risks. CVEs are located in libraries bundled with the built image.
Proposed Level
Events should be logged at security:high. Please review the image for vulnerable libraries and update dependencies where applicable.
Common Weakness Enumeration
Relevant CWEs may include CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-284 (Improper Access Control). Each CVE should be reviewed for specific associated CWEs.
Reference Dockerfile: https://github.com/argoproj/argo-cd/blob/v3.2.3/Dockerfile
Recommend prioritizing remediation and upgrading affected packages in the Dockerfile build process.