Vulnerability Reportprom/statsd-exporter:v0.28.0

prom/statsd-exporter:v0.28.0

DIGESTsha256:4e7a1f00b9b23ef0c5b4fdbb7f4748bdc218cfdff04acc8033bc5b9f7c15009d

Executive Summary

Threat ScoreCAUTION• 68 exposed vulnerabilities, with 6 of medium-high severity (max 6.8) including CVE-2025-68121 and CVE-2026-39829.• No critical (>=7.0) vulnerabilities; post-exploit vulnerabilities are low severity (max 2.95) and not remotely exploitable.• The image is from a popular, reliable publisher (prom, 121M+ pulls) and pinned by digest, ensuring integrity.• Most top findings require non-default configurations (e.g., TLS with mutable Config for CVE-2025-68121) or affect SSH, which is unlikely in a statsd exporter deployment.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (121M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could exploit CVE-2025-68121 to bypass TLS session validation if TLS is enabled with a mutable Config, leading to authentication bypass. Other top findings like CVE-2026-39829 and CVE-2026-39830 require SSH, which is unlikely in a statsd exporter deployment. Disabling TLS or using a static Config fully mitigates CVE-2025-68121.

Vulnerabilities

Vulnerability Log

78 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2025-68121	MEDIUM6.8	stdlib v1.23.2 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-39829	MEDIUM6.38	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39830	MEDIUM6.38	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42508	MEDIUM6.29	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-46595	MEDIUM6.03	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-47907	MEDIUM5.95	stdlib v1.23.2 fixed in 1.23.12, 1.24.6	0.3% Theoretical Threat	Directly Exposed
CVE-2025-4673	MEDIUM5.78	stdlib v1.23.2 fixed in 1.23.10, 1.24.4	0.6% Theoretical Threat	Directly Exposed
CVE-2025-22872	MEDIUM5.52	golang.org/x/net v0.29.0 fixed in 0.38.0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-47906	MEDIUM5.52	stdlib v1.23.2 fixed in 1.23.12, 1.24.6	0.5% Theoretical Threat	Directly Exposed
CVE-2025-61727	MEDIUM5.52	stdlib v1.23.2 fixed in 1.24.11, 1.25.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM5.1	golang.org/x/net v0.29.0 fixed in 0.53.0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-61726	MEDIUM5.1	stdlib v1.23.2 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-61729	MEDIUM5.1	stdlib v1.23.2 fixed in 1.24.11, 1.25.5	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-25679	MEDIUM5.1	stdlib v1.23.2 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32280	MEDIUM5.1	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32281	MEDIUM5.1	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-32283	MEDIUM5.1	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33814	MEDIUM5.1	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-45336	MEDIUM5.02	stdlib v1.23.2 fixed in 1.22.11, 1.23.5, 1.24.0-rc.2	0.6% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.23.2 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-22871	MEDIUM4.59	stdlib v1.23.2 fixed in 1.23.8, 1.24.2	0.7% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.23.2 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2025-47914	MEDIUM4.5	golang.org/x/crypto v0.27.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58181	MEDIUM4.5	golang.org/x/crypto v0.27.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-46598	MEDIUM4.5	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-47911	MEDIUM4.5	golang.org/x/net v0.29.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58190	MEDIUM4.5	golang.org/x/net v0.29.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-22866	MEDIUM4.5	stdlib v1.23.2 fixed in 1.22.12, 1.23.6, 1.24.0-rc.3	0.3% Theoretical Threat	Directly Exposed
CVE-2025-22873	MEDIUM4.5	stdlib v1.23.2 fixed in 1.23.9, 1.24.3	0.2% Theoretical Threat	Directly Exposed
CVE-2025-47912	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58185	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58187	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.9, 1.25.3	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58188	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-58189	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Directly Exposed
CVE-2025-61723	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61724	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2025-61725	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.23.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Directly Exposed
CVE-2025-58186	MEDIUM4.5	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.5% Theoretical Threat	Directly Exposed
CVE-2026-39821	MEDIUM4.18	golang.org/x/net v0.29.0 fixed in 0.55.0	0.3% Theoretical Threat	Directly Exposed
CVE-2025-22870	LOW3.74	golang.org/x/net v0.29.0 fixed in 0.36.0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-22870	LOW3.74	stdlib v1.23.2 fixed in 1.23.7, 1.24.1	0.4% Theoretical Threat	Directly Exposed
CVE-2024-45341	LOW3.57	stdlib v1.23.2 fixed in 1.22.11, 1.23.5, 1.24.0-rc.2	0.4% Theoretical Threat	Directly Exposed
CVE-2024-45337	LOW2.95	golang.org/x/crypto v0.27.0 fixed in 0.31.0	3.1% Low-Moderate Risk	Post-Exploit
CVE-2026-39828	LOW2.69	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.2% Theoretical Threat	Post-Exploit
CVE-2025-22869	LOW2.29	golang.org/x/crypto v0.27.0 fixed in 0.35.0	0.9% Theoretical Threat	Post-Exploit
CVE-2025-47913	LOW2.29	golang.org/x/crypto v0.27.0 fixed in 0.43.0	0.6% Theoretical Threat	Post-Exploit
CVE-2024-45338	LOW2.29	golang.org/x/net v0.29.0 fixed in 0.33.0	0.9% Theoretical Threat	Post-Exploit
CVE-2025-22868	LOW2.29	golang.org/x/oauth2 v0.23.0 fixed in 0.27.0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-33811	LOW2.29	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Post-Exploit
CVE-2025-58183	LOW2.29	stdlib v1.23.2 fixed in 1.24.8, 1.25.2	0.4% Theoretical Threat	Post-Exploit
CVE-2025-61728	LOW2.29	stdlib v1.23.2 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.23.2 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-39827	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39835	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-46597	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39831	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39832	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39833	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.4% Theoretical Threat	Not Applicable
CVE-2026-39834	NONE0	golang.org/x/crypto v0.27.0 fixed in 0.52.0	0.5% Theoretical Threat	Not Applicable
CVE-2026-25680	NONE0	golang.org/x/net v0.29.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-25681	NONE0	golang.org/x/net v0.29.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-27136	NONE0	golang.org/x/net v0.29.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42502	NONE0	golang.org/x/net v0.29.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-42506	NONE0	golang.org/x/net v0.29.0 fixed in 0.55.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39824	NONE0	golang.org/x/sys v0.25.0 fixed in 0.44.0	0.1% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.23.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.23.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.23.2 fixed in 1.25.11, 1.26.4	0.6% Theoretical Threat	Not Applicable
CVE-2025-0913	NONE0	stdlib v1.23.2 fixed in 1.23.10, 1.24.4	0.2% Theoretical Threat	Not Applicable