Vulnerability Reporteclipse-mosquitto:2.0.20

eclipse-mosquitto:2.0.20-openssleclipse-mosquitto:2.0.20

DIGESTsha256:21421af7b32bf9ce508e9090c8eb13bb81f410ca778dc205506180a6f862d0eb

Executive Summary

Threat ScoreSAFE• Official Docker image, pinned by digest — trusted and immutable.• No exposed surface vulnerabilities with severity >= 6.0; exposed max severity is 5.9.• All post-exploit findings (CVE-2025-15467) are low severity (4.06) and require CMS parsing, not used by Mosquitto.• Total of 25 exposed and 26 post-exploit vulnerabilities, but none pose practical risk in this context.

0/100SAFE

ReputationOFFICIAL• Official Docker Hub Image• Pinned by digest (Immutable)

TRUSTED

This image is safe for production use. Although there are a total of 51 low-severity vulnerabilities (25 exposed, 26 post-exploit), none exceed a severity of 5.9. The only CVE (CVE-2025-15467) is a server-side parsing flaw in libcrypto3 and libssl3 that requires CMS message processing, which Mosquitto does not perform, making it unreachable over MQTT. Additionally, the image is officially published by Docker and pinned by digest, ensuring integrity.

Vulnerabilities

Vulnerability Log

51 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-9231	MEDIUM5.9	libssl3 3.3.3-r0 fixed in 3.3.5-r0	2.3% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.3.3-r0 fixed in 3.3.5-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.7-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3 3.3.3-r0 fixed in 3.3.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r1 fixed in 1.2.5-r2	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r1 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-15467	MEDIUM4.06	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-15467	MEDIUM4.06	libssl3 3.3.3-r0 fixed in 3.3.6-r0	48.7% High Exploitation Risk	Post-Exploit
CVE-2025-68160	MEDIUM4	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40200	LOW3.98	musl-utils 1.2.5-r1 fixed in 1.2.5-r3	0.1% Theoretical Threat	Post-Exploit
CVE-2025-69418	LOW3.4	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW3.1	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.3.3-r0 fixed in 3.3.5-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2026-6042	LOW2.8	musl-utils 1.2.5-r1 fixed in 1.2.5-r2	0.2% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.3.3-r0 fixed in 3.3.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r1 fixed in 1.2.5-r3	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r1 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2025-57052	LOW2.29	cjson 1.7.18-r0 fixed in 1.7.19-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2025-69421	LOW2.29	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2025-69421	LOW2.29	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28388	LOW2.29	libssl3 3.3.3-r0 fixed in 3.3.7-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libssl3 3.3.3-r0 fixed in 3.3.7-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	libssl3 3.3.3-r0 fixed in 3.3.7-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2025-69419	LOW2.26	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2025-69419	LOW2.26	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2025-9231	LOW2.12	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	2.3% Low-Moderate Risk	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.36.1-r29 fixed in 1.36.1-r31	0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox-binsh 1.36.1-r29 fixed in 1.36.1-r31	0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	ssl_client 1.36.1-r29 fixed in 1.36.1-r31	0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.36.1-r29 fixed in 1.36.1-r31	0.2% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	busybox-binsh 1.36.1-r29 fixed in 1.36.1-r31	0.2% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	ssl_client 1.36.1-r29 fixed in 1.36.1-r31	0.2% Theoretical Threat	Not Applicable