[Security] Vulnerability CVE-2025-61729 detected in official Docker image nats:2.12.2 #7640
Description
Observed behavior
Hello NATS Maintainers,
We are utilizing the official NATS Docker image (nats:2.12.2) in our environment and our routine security compliance scans have flagged a critical vulnerability.
CVE Details:
We kindly request an investigation and remediation plan for this finding, as it is impacting our security compliance status. This issue is likely rooted in an outdated dependency in the base operating system or within the Go runtime/libraries used to compile the NATS server.
When scanning the nats:2.12.2 container image using Trivy (or a similar vulnerability scanner), the scan reports the presence of CVE-2025-61729 in one of the image components (e.g., base OS packages or Go dependencies).
Expected behavior
The nats:2.12.2 container image should be rebuilt or patched to ensure it contains the latest security fixes for all its components, resulting in a clean security scan report without CVE-2025-61729.
Server and client version
Server Version (Image Tag): nats:2.12.2
Base OS/Runtime: Ubuntu22.04、24.04
Trivy Version: 0.64.1
Host environment
No response
Steps to reproduce
No response