This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could execute arbitrary code on the container if Maven processes a malicious archive during a build, potentially compromising the build pipeline. The vulnerability (CVE-2025-67030) is in a core Maven dependency and requires no special configuration to exploit, making it readily accessible. While the image is official and widely trusted, this single high-severity flaw warrants caution and remediation before production use.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2025-67030 | HIGH7.48 | org.codehaus.plexus:plexus-utils 4.0.2 fixed in 4.0.3, 3.6.1 | 0.7% Theoretical Threat | Directly ExposedContext importance: HIGH |
| CVE-2026-48863 | LOW2.7 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | — | Post-Exploit |
| CVE-2026-48864 | LOW2.39 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-9149 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-9150 | LOW1.99 | libsolv 0.7.22-1.amzn2023.0.3 fixed in 0.7.22-1.amzn2023.0.4 | 0.4% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | LOW1.87 | python3 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Post-Exploit |
| CVE-2026-6019 | NONE0 | python3-libs 3.9.25-1.amzn2023.0.5 fixed in 3.9.25-1.amzn2023.0.6 | 0.2% Theoretical Threat | Not Applicable |