Vulnerability Reportbkimminich/juice-shop:v20.0.0

bkimminich/juice-shop:v20.0.0

DIGESTsha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0

Executive Summary

Threat ScoreDANGEROUS• Exposed surface contains 10 critical/high-severity vulnerabilities (severity >=7.0), including authentication bypass (CVE-2015-9235, CVSS 9.8) and remote code execution (CVE-2021-23337).• Vulnerabilities are network-exploitable without authentication, enabling full compromise of the application.• This image is a deliberately vulnerable training application (Juice Shop) not designed for production use.• Trust/reputation is high, but does not mitigate the known security flaws present in this container.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (86M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker can exploit JWT verification bypass (CVE-2015-9235) to impersonate any user, execute arbitrary commands via Lodash template injection (CVE-2021-23337), and cause denial of service via ReDoS attacks. While some vulnerabilities (e.g., CVE-2020-15084) require specific configurations, the vast majority are exploitable by default. No practical compensating controls can fully remediate these flaws given the image's inherent design as a vulnerable training tool. Do not deploy this container in any production or internet-accessible environment.

Vulnerabilities

Vulnerability Log

109 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.1.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2015-9235	CRITICAL9.8	jsonwebtoken 0.4.0 fixed in 4.2.2	7.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2019-10744	CRITICAL9.1	lodash 2.4.2 fixed in 4.17.12	5.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2021-23337	HIGH8.28	lodash 2.4.2 fixed in 4.17.21	22.4% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2022-25881	HIGH7.5	http-cache-semantics 3.8.1 fixed in 4.1.1	1.6% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2017-18214	HIGH7.5	moment 2.0.0 fixed in 2.19.3	3.7% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-25887	HIGH7.5	sanitize-html 1.4.2 fixed in 2.7.1	1.1% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-32695	HIGH7.5	socket.io-parser 4.0.5 fixed in 4.2.3, 3.4.3, 3.3.4	1.1% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2020-8203	HIGH7.4	lodash.set 4.3.2 No fix yet	5.2% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2020-15084	HIGH7.28	express-jwt 0.1.3 fixed in 6.0.0	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-41940	MEDIUM6.5	engine.io 4.1.2 fixed in 3.6.1, 6.2.1	1.9% Low-Moderate Risk	Directly Exposed
CVE-2018-3721	MEDIUM6.5	lodash 2.4.2 fixed in >=4.17.5	2.4% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2016-4055	MEDIUM6.5	moment 2.0.0 fixed in >=2.11.2	9.9% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2022-23540	MEDIUM6.46	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-65945	MEDIUM6.38	jws 0.2.6 fixed in 3.2.3, 4.0.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-26996	MEDIUM6.38	minimatch 3.0.5 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-2359	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3304	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3520	MEDIUM6.38	multer 1.4.5-lts.2 fixed in 2.1.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33151	MEDIUM6.38	socket.io-parser 4.0.5 fixed in 3.3.5, 3.4.4, 4.2.6	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41907	MEDIUM6.38	uuid 8.3.2 fixed in 11.1.1, 12.0.1, 13.0.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-45736	MEDIUM6.38	ws 8.17.1 fixed in 8.20.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-38355	MEDIUM6.21	socket.io 3.1.2 fixed in 2.5.1, 4.6.2	0.7% Theoretical Threat	Directly Exposed
CVE-2017-16016	MEDIUM6.1	sanitize-html 1.4.2 fixed in 1.11.4	1.4% Low-Moderate Risk	Directly Exposed
CVE-2022-24785	MEDIUM6	moment 2.0.0 fixed in 2.29.2	5.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-37890	MEDIUM5.9	ws 7.4.6 fixed in 5.2.4, 6.2.3, 7.5.10, 8.17.1	1.3% Low-Moderate Risk	Directly Exposed
CVE-2018-16487	MEDIUM5.6	lodash 2.4.2 fixed in >=4.17.11	1.9% Low-Moderate Risk	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.41-12+deb13u2 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27904	MEDIUM5.52	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	0.5% Theoretical Threat	Directly Exposed
CVE-2021-23771	MEDIUM5.52	notevil 1.3.3 No fix yet	1.0% Theoretical Threat	Directly Exposed
CVE-2022-23539	MEDIUM5.5	jsonwebtoken 0.1.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2022-23539	MEDIUM5.5	jsonwebtoken 0.4.0 fixed in 9.0.0	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.4% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.1.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2022-23541	MEDIUM5.35	jsonwebtoken 0.4.0 fixed in 9.0.0	0.8% Theoretical Threat	Directly Exposed
CVE-2019-1010024	MEDIUM5.3	libc6 2.41-12+deb13u2 No fix yet	3.2% Low-Moderate Risk	Directly Exposed
CVE-2019-1010025	MEDIUM5.3	libc6 2.41-12+deb13u2 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2022-33987	MEDIUM5.3	got 8.3.2 fixed in 12.1.0, 11.8.5	1.9% Low-Moderate Risk	Directly Exposed
CVE-2021-26539	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.1	2.0% Low-Moderate Risk	Directly Exposed
CVE-2021-26540	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.3.2	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-21501	MEDIUM5.3	sanitize-html 1.4.2 fixed in 2.12.1	1.0% Low-Moderate Risk	Directly Exposed
CVE-2016-1000237	MEDIUM5.18	sanitize-html 1.4.2 fixed in >=1.4.3	0.8% Theoretical Threat	Directly Exposed
CVE-2019-25225	MEDIUM5.18	sanitize-html 1.4.2 fixed in 2.0.0-beta	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.41-12+deb13u2 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27903	MEDIUM5.02	minimatch 3.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib1g 1:1.3.dfsg+really1.3.1-1+b1 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31808	MEDIUM4.5	file-type 16.5.4 fixed in 21.3.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-2950	MEDIUM4.5	lodash 2.4.2 fixed in 4.18.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-48997	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.1	0.4% Theoretical Threat	Directly Exposed
CVE-2025-7338	MEDIUM4.5	multer 1.4.5-lts.2 fixed in 2.0.2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	libc6 2.41-12+deb13u2 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	libc6 2.41-12+deb13u2 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.5% Theoretical Threat	Directly Exposed
CVE-2010-4756	MEDIUM4	libc6 2.41-12+deb13u2 No fix yet	2.6% Low-Moderate Risk	Directly Exposed
CVE-2026-26960	LOW3.62	tar 4.4.19 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-26960	LOW3.62	tar 6.2.1 fixed in 7.5.8	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010022	LOW3.53	libc6 2.41-12+deb13u2 No fix yet	3.2% Low-Moderate Risk	Post-Exploit
CVE-2026-4438	LOW3.4	libc6 2.41-12+deb13u2 fixed in 2.41-12+deb13u3	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3449	LOW3.4	@tootallnate/once 1.1.2 fixed in 3.0.1, 2.0.1	0.1% Theoretical Threat	Directly Exposed
CVE-2026-29786	LOW3.21	tar 4.4.19 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-29786	LOW3.21	tar 6.2.1 fixed in 7.5.10	0.3% Theoretical Threat	Post-Exploit
CVE-2019-1010023	LOW3.17	libc6 2.41-12+deb13u2 No fix yet	3.1% Low-Moderate Risk	Post-Exploit
CVE-2026-45446	LOW3.15	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.2% Theoretical Threat	Directly Exposed
CVE-2024-47764	LOW3.15	cookie 0.4.2 fixed in 0.7.0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-23745	LOW3.11	tar 4.4.19 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-23745	LOW3.11	tar 6.2.1 fixed in 7.5.3	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-31802	LOW2.8	tar 4.4.19 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 6.2.1 fixed in 7.5.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.5.5-1~deb13u2 fixed in 3.5.6-1~deb13u2	0.3% Theoretical Threat	Post-Exploit
CVE-2023-46233	LOW2.78	crypto-js 3.3.0 fixed in 4.2.0	0.6% Theoretical Threat	Post-Exploit
CVE-2018-20796	LOW2.7	libc6 2.41-12+deb13u2 No fix yet	5.8% Low-Moderate Risk	Post-Exploit
CVE-2019-9192	LOW2.7	libc6 2.41-12+deb13u2 No fix yet	2.4% Low-Moderate Risk	Post-Exploit
CVE-2026-24842	LOW2.51	tar 4.4.19 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2026-24842	LOW2.51	tar 6.2.1 fixed in 7.5.7	0.5% Theoretical Threat	Post-Exploit
CVE-2024-28863	LOW1.99	tar 4.4.19 fixed in 6.2.1	0.9% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 4.4.19 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 6.2.1 fixed in 7.5.4	0.2% Theoretical Threat	Post-Exploit
NSWG-ECO-428	NONE0	base64url 0.0.6 fixed in >=3.0.0	—	Not Applicable
GHSA-rvg8-pwq2-xj7q	NONE0	base64url 0.0.6 fixed in 3.0.0	—	Not Applicable
CVE-2026-53550	NONE0	js-yaml 3.14.2 fixed in 4.2.0	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.1.0 fixed in >=4.2.2	—	Not Applicable
NSWG-ECO-17	NONE0	jsonwebtoken 0.4.0 fixed in >=4.2.2	—	Not Applicable
CVE-2016-1000223	NONE0	jws 0.2.6 fixed in >=3.0.0	—	Not Applicable
GHSA-5mrr-rgp6-x4gr	NONE0	marsdb 0.6.11 No fix yet	—	Not Applicable
CVE-2025-57349	NONE0	messageformat 2.3.0 fixed in 3.0.0-beta.0	0.4% Theoretical Threat	Not Applicable
CVE-2025-47935	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2025-47944	NONE0	multer 1.4.5-lts.2 fixed in 2.0.0	0.7% Theoretical Threat	Not Applicable
CVE-2026-5079	NONE0	multer 1.4.5-lts.2 fixed in 2.2.0, 3.0.0-alpha.2	0.3% Theoretical Threat	Not Applicable
CVE-2026-8723	NONE0	qs 6.15.1 fixed in 6.15.2	0.3% Theoretical Threat	Not Applicable
NSWG-ECO-154	NONE0	sanitize-html 1.4.2 fixed in >=1.11.4	—	Not Applicable
CVE-2026-53655	NONE0	tar 4.4.19 fixed in 7.5.16	—	Not Applicable
CVE-2026-53655	NONE0	tar 6.2.1 fixed in 7.5.16	—	Not Applicable
CVE-2026-53655	NONE0	tar 7.5.15 fixed in 7.5.16	—	Not Applicable
CVE-2026-48779	NONE0	ws 7.4.6 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable
CVE-2026-48779	NONE0	ws 8.17.1 fixed in 5.2.5, 6.2.4, 7.5.11, 8.21.0	—	Not Applicable