CVE-2025-65965 (GCVE-0-2025-65965)

Vulnerability from cvelistv5

Published

2025-11-25 19:36

Modified

2025-11-25 20:08

Severity ?

8.2 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Summary

Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

References

URL

Tags

	security-advisories@github.com	https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1
	security-advisories@github.com	https://github.com/anchore/grype/pull/3068
	security-advisories@github.com	https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646

Impacted products

	Vendor	Product	Version
	anchore	grype	Version: >= 0.68.0, < 0.104.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65965",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-25T20:08:41.560826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-25T20:08:48.709Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grype",
          "vendor": "anchore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.68.0, \u003c 0.104.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=\u003cfile\u003e option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-25T19:36:11.090Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646"
        },
        {
          "name": "https://github.com/anchore/grype/pull/3068",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/anchore/grype/pull/3068"
        },
        {
          "name": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1"
        }
      ],
      "source": {
        "advisory": "GHSA-6gxw-85q2-q646",
        "discovery": "UNKNOWN"
      },
      "title": "Grype has a credential disclosure vulnerability in Grype JSON output"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65965",
    "datePublished": "2025-11-25T19:36:11.090Z",
    "dateReserved": "2025-11-18T16:14:56.694Z",
    "dateUpdated": "2025-11-25T20:08:48.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-65965\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-25T20:16:00.453\",\"lastModified\":\"2025-11-25T22:16:16.690\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=\u003cfile\u003e option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"references\":[{\"url\":\"https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/anchore/grype/pull/3068\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-65965\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-25T20:08:41.560826Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-25T20:08:45.795Z\"}}], \"cna\": {\"title\": \"Grype has a credential disclosure vulnerability in Grype JSON output\", \"source\": {\"advisory\": \"GHSA-6gxw-85q2-q646\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"anchore\", \"product\": \"grype\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.68.0, \u003c 0.104.1\"}]}], \"references\": [{\"url\": \"https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646\", \"name\": \"https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/anchore/grype/pull/3068\", \"name\": \"https://github.com/anchore/grype/pull/3068\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1\", \"name\": \"https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=\u003cfile\u003e option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-212\", \"description\": \"CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-25T19:36:11.090Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-65965\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-25T20:08:48.709Z\", \"dateReserved\": \"2025-11-18T16:14:56.694Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-25T19:36:11.090Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

fkie_cve-2025-65965

Vulnerability from fkie_nvd

Published

2025-11-25 20:16

Modified

2025-11-25 22:16

Severity ?

8.2 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1
	security-advisories@github.com	https://github.com/anchore/grype/pull/3068
	security-advisories@github.com	https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=\u003cfile\u003e option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options."
    }
  ],
  "id": "CVE-2025-65965",
  "lastModified": "2025-11-25T22:16:16.690",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-25T20:16:00.453",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/anchore/grype/pull/3068"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-212"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-6gxw-85q2-q646

Vulnerability from github

Published

2025-11-25 14:18

Modified

2025-11-27 08:42

Severity ?

8.2 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Summary

Grype has a credential disclosure vulnerability in its JSON output

Details

A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.

Impact

In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.

Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).

In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.

The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.

Patches

The patch has been released in v0.104.1.

Workaround

Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

For example, replacing the command:

```

using `--output json=path` (or `--file`) leaks credentials

grype --output json=test.json alpine:latest ```

with

```

no use of `--output json=path` or `--file`. Output is sanitized...

grype --output json alpine:latest > test.json ```

...results in the same test.json output, but the credentials will be properly sanitized.

Resources

Patch pull request: https://github.com/anchore/grype/pull/3068

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/grype"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.68.0"
            },
            {
              "fixed": "0.104.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T14:18:46Z",
    "nvd_published_at": "2025-11-25T20:16:00Z",
    "severity": "HIGH"
  },
  "details": "A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and the output of grype is written using the `--file` or `--output json=\u003cfile\u003e` option, the registry credentials will be included unsanitized in the output file.\n\n## Impact\n\nIn Grype versions `v0.68.0` through `v0.104.0`, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.\n\nRegistry credentials can be set via the Grype configuration file (e.g. `registry.auth[].username`, `registry.auth[].password`, `registry.auth[].token`) or environment variables (e.g., `GRYPE_REGISTRY_AUTH_USERNAME`, `GRYPE_REGISTRY_AUTH_PASSWORD`, `GRYPE_REGISTRY_AUTH_TOKEN`).\n\nIn order for the authentication details to be improperly included, the Grype file output format must be set to `json` with output target set to a file. For example `--output json=file.json` or `--output json --file file.json`. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.\n\nThe authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the `Descriptor.Registry.Auth` fields would also include the unsanitized registry credentials. There are no known templates that include these fields.\n\n## Patches\nThe patch has been released in `v0.104.1`.\n\n## Workaround\nUsers running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the `--file` or `--output` options.\n\nFor example, replacing the command:\n\n```\n# using `--output json=path` (or `--file`) leaks credentials\ngrype --output json=test.json alpine:latest\n```\n\nwith\n\n```\n# no use of `--output json=path` or `--file`. Output is sanitized...\ngrype --output json alpine:latest \u003e test.json\n```\n\n...results in the same `test.json` output, but the credentials will be properly sanitized.\n\n## Resources\nPatch pull request: https://github.com/anchore/grype/pull/3068",
  "id": "GHSA-6gxw-85q2-q646",
  "modified": "2025-11-27T08:42:37Z",
  "published": "2025-11-25T14:18:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/pull/3068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/commit/c99f79de49a58dc16d7fd8f35160b169b87db9de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/grype"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grype has a credential disclosure vulnerability in its JSON output"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-65965 (GCVE-0-2025-65965)

Vulnerability from cvelistv5

fkie_cve-2025-65965

Vulnerability from fkie_nvd

ghsa-6gxw-85q2-q646

Vulnerability from github

Impact

Patches

Workaround

using --output json=path (or --file) leaks credentials

no use of --output json=path or --file. Output is sanitized...

Resources

Tags

Sightings

Nomenclature

using `--output json=path` (or `--file`) leaks credentials

no use of `--output json=path` or `--file`. Output is sanitized...