This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could achieve arbitrary code execution by exploiting CVE-2025-67030, which allows directory traversal and code execution when Maven extracts a malicious archive from a compromised repository or man-in-the-middle. Although the image is official and widely used, the severity and reachability of this vulnerability make it unsuitable for most production workloads without additional protections.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-67030 | HIGH7.48 | org.codehaus.plexus:plexus-utils 4.0.2 fixed in 4.0.3, 3.6.1 | 0.7% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-48863 | LOW2.7 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | — | Post-Exploit |
| CVE-2026-48864 | LOW2.39 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-9149 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9150 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | NONE0 | python3-libs 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Not Applicable |