Vulnerability Reportbkimminich/juice-shop:latest

bkimminich/juice-shop:latest

DIGESTsha256:5d572029141b32e065edefc9b09ca88567296ff7134ebe3181ab7ac9e9ed4056

Executive Summary

Threat ScoreDANGEROUS• 82 exposed vulnerabilities, including 10 with severity ≥7.0 and a maximum of 9.8.• Critical findings: CVE-2015-9235 (JWT auth bypass, severity 9.8) and CVE-2019-10744 (prototype pollution, severity 9.1) are highly exploitable with network access.• CVE-2021-23337 (command injection in lodash template) adds remote code execution risk.• Despite high community trust (86M+ pulls), the vulnerability density and severity make this image unsuitable for production.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (86M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could bypass JWT authentication (CVE-2015-9235), execute arbitrary commands via lodash template injection (CVE-2021-23337), or cause denial of service through multiple ReDoS vulnerabilities. The image contains 82 known vulnerabilities, 10 of which are high severity, and the exposed attack surface is broad due to the container's role as a web application. While some vulnerabilities like CVE-2020-15084 require non-default configurations, the overall risk is unacceptable for production deployment.

Vulnerabilities

Vulnerability Log

104 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.1.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.4.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2019-10744	CRITICAL9.1	lodash 2.4.2 fixed in 4.17.12	5.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2021-23337	HIGH8.28	lodash 2.4.2 fixed in 4.17.21	22.4% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2022-25881	HIGH7.5	http-cache-semantics 3.8.1 fixed in 4.1.1	1.6% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2017-18214	HIGH7.5	moment 2.0.0 fixed in 2.19.3	3.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-24785	HIGH7.5	moment 2.0.0 fixed in 2.29.2	5.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-25887	HIGH7.5	sanitize-html 1.4.2 fixed in 2.7.1	1.1% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-32695	HIGH7.5	socket.io-parser 4.0.5 fixed in 4.2.3, 3.4.3, 3.3.4	1.1% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2020-15084	HIGH7.28	express-jwt 0.1.3 fixed in 6.0.0	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-41940	MEDIUM6.5	engine.io 4.1.2 fixed in 3.6.1, 6.2.1	1.9% Low-Moderate Risk	Directly Exposed
CVE-2018-3721	MEDIUM6.5	lodash 2.4.2 fixed in >=4.17.5	2.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2016-4055	MEDIUM6.5	moment 2.0.0 fixed in >=2.11.2	9.9% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-65945	MEDIUM6.38	jws 0.2.6 fixed in 3.2.3, 4.0.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-26996	MEDIUM6.38	minimatch 3.0.5 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-2359	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3304	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3520	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33151	MEDIUM6.38	socket.io-parser 4.0.5 fixed in 3.3.5, 3.4.4, 4.2.6	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41907	MEDIUM6.38	uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45736	MEDIUM6.38	ws 8.17.1 fixed in 8.20.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38355	MEDIUM6.21	socket.io 3.1.2 fixed in 2.5.1, 4.6.2	0.7% Theoretical Threat	Directly Exposed
CVE-2017-16016	MEDIUM6.1	sanitize-html 1.4.2 fixed in 1.11.4	1.4% Low-Moderate Risk	Directly Exposed
CVE-2020-8203	MEDIUM5.92	lodash.set 4.3.2 No fix yet	5.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-37890	MEDIUM5.9	ws 7.4.6 fixed in 5.2.4, 6.2.3, 7.5.10, 8.17.1	1.3% Low-Moderate Risk	Directly Exposed
CVE-2018-16487	MEDIUM5.6	lodash 2.4.2 fixed in >=4.17.11	1.9% Low-Moderate Risk	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.41-12+deb13u3 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27904	MEDIUM5.52	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	0.5% Theoretical Threat	Directly Exposed
CVE-2021-23771	MEDIUM5.52	notevil 1.3.3 No fix yet	1.0% Theoretical Threat	Directly Exposed
CVE-2022-23539	MEDIUM5.5	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-23539	MEDIUM5.5	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.1.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.4.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2019-1010024	MEDIUM5.3	libc6 2.41-12+deb13u3 No fix yet	3.2% Low-Moderate Risk	Directly Exposed
CVE-2019-1010025	MEDIUM5.3	libc6 2.41-12+deb13u3 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2022-33987	MEDIUM5.3	got 8.3.2 fixed in 12.1.0, 11.8.5	1.9% Low-Moderate Risk	Directly Exposed
CVE-2021-26539	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.1	2.0% Low-Moderate Risk	Directly Exposed
CVE-2021-26540	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.2	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-21501	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.12.1	1.0% Low-Moderate Risk	Directly Exposed
CVE-2016-1000237	MEDIUM5.18	sanitize-html 1.4.2 fixed in >=1.4.3	0.8% Theoretical Threat	Directly Exposed
CVE-2019-25225	MEDIUM5.18	sanitize-html 1.4.2 fixed in 2.0.0-beta	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.41-12+deb13u3 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27903	MEDIUM5.02	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib1g 1:1.3.dfsg+really1.3.1-1+b1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31808	MEDIUM4.5	file-type 16.5.4 fixed in 21.3.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2950	MEDIUM4.5	lodash 2.4.2 fixed in 4.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-48997	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.1	0.4% Theoretical Threat	Directly Exposed
CVE-2025-7338	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libc6 2.41-12+deb13u3 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libc6 2.41-12+deb13u3 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2010-4756	MEDIUM4	libc6 2.41-12+deb13u3 No fix yet	2.6% Low-Moderate Risk	Directly Exposed
CVE-2023-46233	LOW3.71	crypto-js 3.3.0 fixed in 4.2.0	0.6% Theoretical Threat	Post-ExploitContext importance: MEDIUM
CVE-2026-26960	LOW3.62	tar 4.4.19 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-26960	LOW3.62	tar 6.2.1 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010022	LOW3.53	libc6 2.41-12+deb13u3 No fix yet	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-3449	LOW3.4	@tootallnate/once 1.1.2 fixed in 3.0.1, 2.0.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-29786	LOW3.21	tar 4.4.19 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29786	LOW3.21	tar 6.2.1 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010023	LOW3.17	libc6 2.41-12+deb13u3 No fix yet	3.1% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47764	LOW3.15	cookie 0.4.2 fixed in 0.7.0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-23745	LOW3.11	tar 4.4.19 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23745	LOW3.11	tar 6.2.1 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-31802	LOW2.8	tar 4.4.19 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 6.2.1 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.5.6-1~deb13u1 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Post-Exploit
CVE-2018-20796	LOW2.7	libc6 2.41-12+deb13u3 No fix yet	5.8% Low-Moderate Risk	Post-Exploit
CVE-2019-9192	LOW2.7	libc6 2.41-12+deb13u3 No fix yet	2.4% Low-Moderate Risk	Post-Exploit
CVE-2026-24842	LOW2.51	tar 4.4.19 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2026-24842	LOW2.51	tar 6.2.1 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2024-28863	LOW1.99	tar 4.4.19 fixed in 6.2.1	0.9% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 4.4.19 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 6.2.1 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
NSWG-ECO-428	NONE0	base64url 0.0.6 fixed in >=3.0.0	—	Not Applicable
GHSA-rvg8-pwq2-xj7q	NONE0	base64url 0.0.6 fixed in 3.0.0	—	Not Applicable
CVE-2026-53550	NONE0	js-yaml 3.14.2 fixed in 4.2.0	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.1.0 fixed in >=4.2.2	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.4.0 fixed in >=4.2.2	—	Not Applicable
CVE-2016-1000223	NONE0	jws 0.2.6 fixed in >=3.0.0	—	Not Applicable
GHSA-5mrr-rgp6-x4gr	NONE0	marsdb 0.6.11 No fix yet	—	Not Applicable
CVE-2025-57349	NONE0	messageformat 2.3.0 fixed in 3.0.0-beta.0	0.4% Theoretical Threat	Not Applicable
CVE-2025-47935	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2025-47944	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2026-5079	NONE0	multer 1.4.5-lts.2 fixed in 2.2.0, 3.0.0-alpha.2	0.3% Theoretical Threat	Not Applicable
NSWG-ECO-154	NONE0	sanitize-html 1.4.2 fixed in >=1.11.4	—	Not Applicable
CVE-2026-53655	NONE0	tar 4.4.19 fixed in 7.5.16	—	Not Applicable
CVE-2026-53655	NONE0	tar 6.2.1 fixed in 7.5.16	—	Not Applicable
CVE-2026-48779	NONE0	ws 7.4.6 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable
CVE-2026-48779	NONE0	ws 8.17.1 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable