Vulnerabilities in Kapacitor Docker Image[v1.8.2] with Trivy Scan

We performed a security scan on the Kapacitor Docker image using Trivy and observed multiple vulnerabilities (including HIGH and CRITICAL severity findings). These appear to originate from base image dependencies and/or bundled packages.

We would like clarification on:

• Whether these vulnerabilities are already known and being tracked
• If there is a planned timeline for remediation
• Recommended mitigation steps for production deployments

Environment

• Kapacitor Version: 1.8.2
• Docker Image: kapacitor:1.8.2

Summary of Findings

Trivy Vulnerability Scan Results (usr/bin/kapacitor) | | | | | | |
– | – | – | – | – | – | – | –
VulnerabilityID | Severity | CVSS Score | Title | Library | Vulnerable Version | Fixed Version | Information URL | Triage Information | |
CVE-2025-47914 | MEDIUM | | The Go Programming Language SSH Agent servers: Denial of Service due to malformed messages | The Go Programming Language | v0.36.0 | 0.45.0 | https://avd.aquasec.com/nvd/2025/cve-2025-47914/
CVE-2025-58181 | MEDIUM | | The Go Programming Language The Go Programming Language Denial of Service via unbounded memory consumption in GSSAPI authentication | The Go Programming Language | v0.36.0 | 0.45.0 | https://avd.aquasec.com/nvd/2025/cve-2025-58181/
CVE-2025-58183 | HIGH | | golang: archive/tar: Unbounded allocation when parsing GNU sparse map | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58183/
CVE-2025-61726 | HIGH | | golang: net/url: Memory exhaustion in query parameter parsing in net/url | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61726/
CVE-2025-61728 | HIGH | | golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61728/
CVE-2025-61729 | HIGH | | crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate | stdlib | v1.24.6 | 1.24.11, 1.25.5 | https://avd.aquasec.com/nvd/2025/cve-2025-61729/
CVE-2025-61730 | HIGH | | During the TLS 1.3 handshake if multiple messages are sent in records … | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61730/
CVE-2025-68121 | HIGH | | During session resumption in crypto/tls, if the underlying Config has … | stdlib | v1.24.6 | 1.24.13, 1.25.7, 1.26.0-rc.3 | https://avd.aquasec.com/nvd/2025/cve-2025-68121/
CVE-2025-47912 | MEDIUM | | net/url: Insufficient validation of bracketed IPv6 hostnames in net/url | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-47912/
CVE-2025-58185 | MEDIUM | | encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1 | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58185/
CVE-2025-58186 | MEDIUM | | golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58186/
CVE-2025-58187 | MEDIUM | | crypto/x509: Quadratic complexity when checking name constraints in crypto/x509 | stdlib | v1.24.6 | 1.24.9, 1.25.3 | https://avd.aquasec.com/nvd/2025/cve-2025-58187/
CVE-2025-58188 | MEDIUM | | crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509 | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58188/
CVE-2025-58189 | MEDIUM | | crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58189/
CVE-2025-61723 | MEDIUM | | encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61723/
CVE-2025-61724 | MEDIUM | | net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61724/
CVE-2025-61725 | MEDIUM | | net/mail: Excessive CPU consumption in ParseAddress in net/mail | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61725/
CVE-2025-61727 | MEDIUM | | golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs | stdlib | v1.24.6 | 1.24.11, 1.25.5 | https://avd.aquasec.com/nvd/2025/cve-2025-61727/

Trivy Dependency Scan Results (usr/bin/kapacitor) | | | | | | |
– | – | – | – | – | – | – | –
ID | Name | Version | Notes | | | | | | | |
github.com/influxdata/kapacitor@v1.8.2 | GitHub - influxdata/kapacitor: Open source framework for processing, monitoring, and alerting on time series data | v1.8.2 | | | | | | | | |
stdlib@v1.24.6 | stdlib | v1.24.6 | | | | | | | | |
github.com/AlecAivazis/survey/v2@v2.2.9 | github.com/AlecAivazis/survey/v2 | v2.2.9 | | | | | | | | |
github.com/BurntSushi/toml@v1.4.1-0.20240526193622-a339e1f7089c | GitHub - BurntSushi/toml: TOML parser for Golang with reflection. | v1.4.1-0.20240526193622-a339e1f7089c | | | | | |
github.com/andreyvit/diff@v0.0.0-20170406064948-c7f18ee00883 | GitHub - andreyvit/diff: Quick'n'easy string diffs for Golang, mainly for diffing strings in tests | v0.0.0-20170406064948-c7f18ee00883 | | | | | |
github.com/apache/arrow/go/v7@v7.0.1 | github.com/apache/arrow/go/v7 | v7.0.1 | | | | | | | | |
github.com/benbjohnson/immutable@v0.3.0 | GitHub - benbjohnson/immutable: Immutable collections for Go | v0.3.0 | | | | | | | | |
github.com/cespare/xxhash@v1.1.0 | GitHub - cespare/xxhash: A Go implementation of the 64-bit xxHash algorithm (XXH64) | v1.1.0 | | | | | | | | |
github.com/cespare/xxhash/v2@v2.2.0 | github.com/cespare/xxhash/v2 | v2.2.0 | | | | | | | | |
github.com/cpuguy83/go-md2man/v2@v2.0.0 | github.com/cpuguy83/go-md2man/v2 | v2.0.0 | | | | | | | | |
github.com/dustin/go-humanize@v1.0.1 | GitHub - dustin/go-humanize: Go Humans! (formatters for units to human friendly sizes) | v1.0.1 | | | | | | | | |
github.com/ghodss/yaml@v1.0.0 | GitHub - ghodss/yaml: A better way to marshal and unmarshal YAML in Golang | v1.0.0 | | | | | | | | |
github.com/goccy/go-json@v0.10.2 | GitHub - goccy/go-json: Fast JSON encoder/decoder compatible with encoding/json for Go | v0.10.2 | | | | | | | | |
github.com/gofrs/uuid@v3.3.0+incompatible | GitHub - gofrs/uuid: A UUID package for Go | v3.3.0+incompatible | | | | | | |
github.com/gogo/protobuf@v1.3.2 | github.com/gogo/protobuf | v1.3.2 | | | | | | | | |
github.com/google/flatbuffers@v23.5.26+incompatible | github.com/google/flatbuffers | v23.5.26+incompatible | | | | | | |
github.com/google/go-cmp@v0.7.0 | github.com/google/go-cmp | v0.7.0 | | | | | | | | |
github.com/influxdata/flux@v0.191.0 | github.com/influxdata/flux | v0.191.0 | | | | | | | | |
github.com/influxdata/influx-cli/v2@v2.0.0-20210526124422-63da8eccbdb7 | github.com/influxdata/influx-cli/v2 | v2.0.0-20210526124422-63da8eccbdb7 | | | | | |
github.com/influxdata/influxdb@v1.9.6 | github.com/influxdata/influxdb | v1.9.6 | | | | | | | | |
github.com/influxdata/influxql@v1.1.1-0.20211004132434-7e7d61973256 | github.com/influxdata/influxql | v1.1.1-0.20211004132434-7e7d61973256 | | | | | |
github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51 | github.com/kballard/go-shellquote | v0.0.0-20180428030007-95032a82bc51 | | | | | |
github.com/mattn/go-colorable@v0.1.13 | github.com/mattn/go-colorable | v0.1.13 | | | | | | | | |
github.com/mattn/go-isatty@v0.0.19 | github.com/mattn/go-isatty | v0.0.19 | | | | | | | | |
github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b | github.com/mgutz/ansi | v0.0.0-20170206155736-9520e82c474b | | | | | |
github.com/opentracing/opentracing-go@v1.2.0 | github.com/opentracing/opentracing-go | v1.2.0 | | | | | | | | |
github.com/pkg/errors@v0.9.1 | github.com/pkg/errors | v0.9.1 | | | | | | | | |
github.com/russross/blackfriday/v2@v2.0.1 | github.com/russross/blackfriday/v2 | v2.0.1 | | | | | | | | |
github.com/sergi/go-diff@v1.0.0 | github.com/sergi/go-diff | v1.0.0 | | | | | | | | |
github.com/shurcooL/sanitized_anchor_name@v1.0.0 | github.com/shurcooL/sanitized_anchor_name | v1.0.0 | | | | | | | | |
github.com/uber/jaeger-client-go@v2.28.0+incompatible | github.com/uber/jaeger-client-go | v2.28.0+incompatible | | | | | | |
github.com/uber/jaeger-lib@v2.4.1+incompatible | github.com/uber/jaeger-lib | v2.4.1+incompatible | | | | | | |
github.com/urfave/cli/v2@v2.3.0 | github.com/urfave/cli/v2 | v2.3.0 | | | | | | | | |
github.com/xlab/treeprint@v1.0.0 | github.com/xlab/treeprint | v1.0.0 | | | | | | | | |
go.uber.org/atomic@v1.7.0 | go.uber.org/atomic | v1.7.0 | | | | | | | | |
go.uber.org/multierr@v1.6.0 | go.uber.org/multierr | v1.6.0 | | | | | | | | |
go.uber.org/zap@v1.16.0 | go.uber.org/zap | v1.16.0 | | | | | | | | |
golang.org/x/crypto@v0.36.0 | The Go Programming Language | v0.36.0 | | | | | | | | |
golang.org/x/sync@v0.12.0 | golang.org/x/sync | v0.12.0 | | | | | | | | |
golang.org/x/sys@v0.31.0 | golang.org/x/sys | v0.31.0 | | | | | | | | |
golang.org/x/term@v0.30.0 | golang.org/x/term | v0.30.0 | | | | | | | | |
golang.org/x/text@v0.23.0 | golang.org/x/text | v0.23.0 | | | | | | | | |
golang.org/x/xerrors@v0.0.0-20220907171357-04be3eba64a2 | golang.org/x/xerrors | v0.0.0-20220907171357-04be3eba64a2 | | | | | |
google.golang.org/protobuf@v1.33.0 | google.golang.org/protobuf | v1.33.0 | | | | | | | | |
gopkg.in/yaml.v2@v2.4.0 | gopkg.in/yaml.v2 | v2.4.0 | | | | | | | | |
| | | | | | | | | | |

Trivy Vulnerability Scan Results (usr/bin/kapacitord) | | | | | |
– | – | – | – | – | – | –
VulnerabilityID | Severity | CVSS Score | Title | Library | Vulnerable Version | Fixed Version | Information URL | Triage Information | |
CVE-2025-54410 | LOW | 5.2 | github.com/moby/moby: Moby’s Firewalld reload removes bridge network isolation | github.com/docker/docker | v27.1.1+incompatible | 28.0.0 | https://avd.aquasec.com/nvd/cve-2025-54410
CVE-2025-63811 | HIGH | | An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allow … | github.com/dvsekhvalnov/jose2go | v1.6.0 | 1.7.0 | https://avd.aquasec.com/nvd/cve-2025-63811
CVE-2025-10543 | MEDIUM | 5.3 | paho.mqtt.golang: paho.mqtt.golang: Integer Overflow in UTF-8 String Encoding | github.com/eclipse/paho.mqtt.golang | v1.2.0 | 1.5.1 | https://avd.aquasec.com/nvd/cve-2025-10543
CVE-2022-21698 | HIGH | 7.5 | prometheus/client_golang: Denial of service using InstrumentHandlerCounter | github.com/prometheus/client_golang | v1.10.0 | 1.11.1 | https://avd.aquasec.com/nvd/cve-2022-21698
CVE-2025-65637 | HIGH | | github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload | github.com/sirupsen/logrus | v1.9.0 | 1.8.3, 1.9.1, 1.9.3 | https://avd.aquasec.com/nvd/cve-2025-65637
CVE-2025-47914 | MEDIUM | | The Go Programming Language SSH Agent servers: Denial of Service due to malformed messages | The Go Programming Language | v0.36.0 | 0.45.0 | https://avd.aquasec.com/nvd/2025/cve-2025-47914/
CVE-2025-58181 | MEDIUM | | The Go Programming Language The Go Programming Language Denial of Service via unbounded memory consumption in GSSAPI authentication | The Go Programming Language | v0.36.0 | 0.45.0 | https://avd.aquasec.com/nvd/2025/cve-2025-58181/
CVE-2025-58183 | HIGH | | golang: archive/tar: Unbounded allocation when parsing GNU sparse map | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58183/
CVE-2025-61726 | HIGH | | golang: net/url: Memory exhaustion in query parameter parsing in net/url | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61726/
CVE-2025-61728 | HIGH | | golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61728/
CVE-2025-61729 | HIGH | | crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate | stdlib | v1.24.6 | 1.24.11, 1.25.5 | https://avd.aquasec.com/nvd/2025/cve-2025-61729/
CVE-2025-61730 | HIGH | | During the TLS 1.3 handshake if multiple messages are sent in records … | stdlib | v1.24.6 | 1.24.12, 1.25.6 | https://avd.aquasec.com/nvd/2025/cve-2025-61730/
CVE-2025-68121 | HIGH | | During session resumption in crypto/tls, if the underlying Config has … | stdlib | v1.24.6 | 1.24.13, 1.25.7, 1.26.0-rc.3 | https://avd.aquasec.com/nvd/2025/cve-2025-68121/
CVE-2025-47912 | MEDIUM | | net/url: Insufficient validation of bracketed IPv6 hostnames in net/url | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-47912/
CVE-2025-58185 | MEDIUM | | encoding/asn1: Parsing DER payload can cause memory exhaustion in encoding/asn1 | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58185/
CVE-2025-58186 | MEDIUM | | golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58186/
CVE-2025-58187 | MEDIUM | | crypto/x509: Quadratic complexity when checking name constraints in crypto/x509 | stdlib | v1.24.6 | 1.24.9, 1.25.3 | https://avd.aquasec.com/nvd/2025/cve-2025-58187/
CVE-2025-58188 | MEDIUM | | crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509 | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58188/
CVE-2025-58189 | MEDIUM | | crypto/tls: go crypto/tls ALPN negotiation error contains attacker controlled information | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-58189/
CVE-2025-61723 | MEDIUM | | encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61723/
CVE-2025-61724 | MEDIUM | | net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61724/
CVE-2025-61725 | MEDIUM | | net/mail: Excessive CPU consumption in ParseAddress in net/mail | stdlib | v1.24.6 | 1.24.8, 1.25.2 | https://avd.aquasec.com/nvd/2025/cve-2025-61725/
CVE-2025-61727 | MEDIUM | | golang: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs | stdlib | v1.24.6 | 1.24.11, 1.25.5 | https://avd.aquasec.com/nvd/2025/cve-2025-61727/

Thanks for flagging these, I’ve shared this internally and update you soon.

Hi @sathya6045 we have a process to address this, could you please have a read and follow the same as described here: How to Report Security Vulnerabilities Thanks again!

Thanks for the quick and prompt response. I’ve also shared the same details with security@influxdata.com as per your recommendation.