chore(findings): mitre/saf/saf-mainline

Summary

mitre/saf/saf-mainline has 29 new findings discovered during continuous monitoring.

Layer: opensource/nodejs/nodejs22:22.14.0-slim is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=mitre/saf/saf-mainline&tag=9bd2347a1d7aca8904f4a980b4457806c38b004c&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id	source	severity	package	impact	workaround	epss_score	kev
CVE-2025-48060	Twistlock CVE	High	jq-1.7.1-r0			0.00081	false
CVE-2025-23166	Anchore CVE	High	node-22.14.0			0.00065	false
CVE-2025-23165	Anchore CVE	Low	node-22.14.0			0.00063	false
CVE-2024-23337	Twistlock CVE	Medium	jq-1.7.1-r0			0.00055	false
CVE-2025-5025	Twistlock CVE	Low	curl-8.12.1-r1			0.00035	false
CVE-2025-5025	Anchore CVE	Medium	curl-8.12.1-r1			0.00035	false
CVE-2025-4947	Anchore CVE	Medium	curl-8.12.1-r1			0.00031	false
CVE-2025-5889	Twistlock CVE	Low	brace-expansion-2.0.1	Im mirroring the CVE severity assessment here.	Sanitize strings being passed to the function so that they dont contain many , in a row.	0.00022	false
CVE-2024-53427	Twistlock CVE	Low	jq-1.7.1-r0			0.00012	false
f7664f84920b1f8bc088bd89dd3fdd7b	Anchore Compliance	Critical				N/A	N/A
f123fa5d2443013431c85a742323ed0f	Anchore Compliance	Critical				N/A	N/A
e916ec03d9086e3525fbff694689e840	Anchore Compliance	Critical				N/A	N/A
d2675cf0532f59b3fbfea6af71e8bc08	Anchore Compliance	Critical				N/A	N/A
d168277f57dc64ae2dfa0f6acaa43ef2	Anchore Compliance	Critical				N/A	N/A
bb8701bf6a9200ad3ff071c6dbc046e8	Anchore Compliance	Critical				N/A	N/A
b95be73f2d7635d3a0d752f24f36717d	Anchore Compliance	Critical				N/A	N/A
b655c0dcb4848010197132447b2008ee	Anchore Compliance	Critical				N/A	N/A
b431ff7bbe949a3b9a3383d3970914af	Anchore Compliance	Critical				N/A	N/A
acd9bd1ded7428305141301095a16940	Anchore Compliance	Critical				N/A	N/A
a564de7456a95eab19f52620bfe507f0	Anchore Compliance	Critical				N/A	N/A
GHSA-v6h2-p8h4-qcjw	Anchore CVE	Low	brace-expansion-2.0.1			N/A	N/A
8cbd969ea64f9b343bb235677dedbcfe	Anchore Compliance	Critical				N/A	N/A
8220c458fa311835c0f798a1b4dcf797	Anchore Compliance	Critical				N/A	N/A
7335b816c4b382dddd5c15d04aa78228	Anchore Compliance	Critical				N/A	N/A
54281577bed582c500414ad6952acd9d	Anchore Compliance	Critical				N/A	N/A
3e1917c040447e1043aa5443bc2919d0	Anchore Compliance	Critical				N/A	N/A
2e5cd92e8af7469046ec494bbcda18b0	Anchore Compliance	Critical				N/A	N/A
0605c3c8dd5f507c058c13529bf45496	Anchore Compliance	Critical				N/A	N/A
00984cd4448e03b51cc3b003a5e19848	Anchore Compliance	Critical				N/A	N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=mitre/saf/saf-mainline&tag=9bd2347a1d7aca8904f4a980b4457806c38b004c&branch=master

Tasks

Contributor:

• Provide justifications for findings in the VAT (docs)
• Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

• Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.