CVE-2025-6965 on python 3.12 alpine

[yarinlaniado]

Hey, I noticed that Trivy reported the base image of Python 3.12 as having vulnerabilities, due to the sqlite package it has.
https://avd.aquasec.com/nvd/2025/cve-2025-6965/

[eugene-melnik-wepa]

same for 3.13-alpine

[yosifkit]

They will be rebuilt at the earliest of either the build context (Dockerfile) changing (like a version bump) or their base image changing (alpine:3.22). Of note is that Alpine 3.21 does not appear to have a fix applied (https://security.alpinelinux.org/vuln/CVE-2025-6965) (perhaps it is unaffected? It was fixed later).

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file [(i.e., build context)] or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/8384586122f68760fdcfc9472257d177be2d6282#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/e5475a9b3d7c34b8a1e3902df0f4959c5b33e593#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

---

If users need updates sooner, then they should apk --no-cache upgrade in their own image FROM python:*-alpine3.22. It is also recommended to evaluate the CVE to see if your application is not affected (like one of the vex justifications) and thus not need to care about this particular CVE.

Here is a list of the NOT AFFECTED status justifications:
● Component_not_present
● Vulnerable_code_not_present
● Vulnerable_code_cannot_be_controlled_by_adversary
● Vulnerable_code_not_in_execute_path
● Inline_mitigations_already_exist

- https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf