2417103 – (CVE-2025-65965) CVE-2025-65965 github.com/anchore/grype: Grype credential disclosure vulnerability

Bug 2417103 (CVE-2025-65965) - CVE-2025-65965 github.com/anchore/grype: Grype credential disclosure vulnerability

Summary: CVE-2025-65965 github.com/anchore/grype: Grype credential disclosure vulnerab...

Keywords:
Status:	NEW
Alias:	CVE-2025-65965
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2417127 2417128
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-25 20:01 UTC by OSIDB Bzimport
Modified:	2025-11-25 20:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-25 20:01:55 UTC

Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

Note You need to log in before you can comment on or make changes to this bug.