CVE-2025-65965: Grype has a credential disclosure vulnerability in its JSON output
(updated )
A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.
References
- github.com/advisories/GHSA-6gxw-85q2-q646
- github.com/anchore/grype
- github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1
- github.com/anchore/grype/commit/c99f79de49a58dc16d7fd8f35160b169b87db9de
- github.com/anchore/grype/pull/3068
- github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646
- nvd.nist.gov/vuln/detail/CVE-2025-65965
Code Behaviors & Features
Detect and mitigate CVE-2025-65965 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →