Vulnerability Reportnode:18-alpine

Name: node:18-alpine Security Vulnerability Report
Creator: BaseImage
Keywords: node:18-alpine, Docker security, vulnerability scan, CVE, container security, SBOM

DIGESTsha256:8d6421d663b4c28fd3ebc498332f249011d118945588d0a35cb9bc4b8ca09d9e

Executive Summary

CAUTION

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. The most severe consequences include potential remote code execution or denial of service via CVE-2025-15467 in OpenSSL if untrusted cryptographic content is processed. Additionally, CVE-2026-24842 could allow arbitrary file creation leading to information disclosure during malicious tar archive extraction. Note: The OpenSSL vulnerability applies if the application processes untrusted CMS or PKCS#7 content, and the tar vulnerability requires the application to extract specially crafted TAR archives. Careful review of the application's interaction with these components and inputs is crucial. Despite these issues, the image is an official, trusted Docker Hub build, ensuring its origin.

Threat Score

50/100

CAUTION

The container image has 6 EXPOSED_SURFACE vulnerabilities with severity 6.0 or higher, with the maximum severity being 6.97.
An EXPOSED_SURFACE vulnerability, CVE-2026-24842 (severity 6.97), allows arbitrary file creation via path traversal if a malicious TAR archive is extracted.
CVE-2025-15467 (severity 6.66) in OpenSSL could lead to Denial of Service or Remote Code Execution if untrusted CMS or PKCS#7 content is processed.
Additional EXPOSED_SURFACE findings, like CVE-2026-24001 and CVE-2026-26996, expose the service to Denial of Service attacks through crafted inputs to `jsdiff` and `minimatch`.
The image originates from an Official Docker Hub publisher and is pinned by digest, ensuring high trust and immutability.

Reputation

TRUSTED

Docker Official

OFFICIAL

Official Docker Hub Image
Pinned by digest (Immutable)

BaseImage/

node:18-alpine

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

64 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-24842	MEDIUM6.97	tar 6.2.1 fixed in 7.5.7	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-15467	MEDIUM6.66	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-15467	MEDIUM6.66	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22184	MEDIUM6.63	zlib 1.3.1-r2 fixed in 1.3.2-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-24001	MEDIUM6.38	diff 5.2.0 fixed in 8.0.3, 5.2.2, 4.0.4, 3.5.1	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-26996	MEDIUM6.38	minimatch 9.0.5 fixed in 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33750	MEDIUM5.52	brace-expansion 2.0.1 fixed in 5.0.5, 3.0.2, 2.0.3, 1.1.13	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-27904	MEDIUM5.52	minimatch 9.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-6042	MEDIUM5.5	musl 1.2.5-r9 fixed in 1.2.5-r10	—	Directly Exposed
CVE-2026-6042	MEDIUM5.5	musl-utils 1.2.5-r9 fixed in 1.2.5-r10	—	Directly Exposed
CVE-2025-69421	MEDIUM5.1	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28390	MEDIUM5.1	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-69421	MEDIUM5.1	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28390	MEDIUM5.1	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-69419	MEDIUM5.03	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-69419	MEDIUM5.03	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-66199	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-9231	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-66199	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-9231	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.6-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27903	MEDIUM5.02	minimatch 9.0.5 fixed in 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM4.93	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM4.93	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-9230	MEDIUM4.76	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-9230	MEDIUM4.76	libssl3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40200	MEDIUM4.68	musl 1.2.5-r9 fixed in 1.2.5-r11	—	Directly Exposed
CVE-2026-40200	MEDIUM4.68	musl-utils 1.2.5-r9 fixed in 1.2.5-r11	—	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM4.02	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-68160	MEDIUM4	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2024-21538	LOW3.74	cross-spawn 7.0.3 fixed in 7.0.5, 6.0.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-26960	LOW3.62	tar 6.2.1 fixed in 7.5.8	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-69418	LOW3.4	libcrypto3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	libssl3 3.3.3-r0 fixed in 3.3.6-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-29786	LOW3.21	tar 6.2.1 fixed in 7.5.10	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW3.15	libcrypto3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-28387	LOW3.15	libssl3 3.3.3-r0 fixed in 3.3.7-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-23745	LOW3.11	tar 6.2.1 fixed in 7.5.3	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-31802	LOW2.8	tar 6.2.1 fixed in 7.5.11	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-9232	LOW2.63	libcrypto3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-9232	LOW2.63	libssl3 3.3.3-r0 fixed in 3.3.5-r0	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-5889	LOW2.63	brace-expansion 2.0.1 fixed in 2.0.2, 1.1.12, 3.0.1, 4.0.1	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-64756	LOW2.29	glob 10.4.2 fixed in 11.1.0, 10.5.0	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-23950	LOW1.81	tar 6.2.1 fixed in 7.5.4	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox-binsh 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	ssl_client 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	busybox-binsh 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	ssl_client 1.37.0-r12 fixed in 1.37.0-r14	<0.1% Theoretical Threat	Not Applicable