Multiple CVEs reported by Trivy scan tool for 0.41.1

[Kisan-hpe]

Hi @sreeram77
We currently have the following HIGH-severity active CVEs that are blocking our CI. Are there any plans to fix these? I noticed there haven’t been any releases since June.

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
github.com/hashicorp/consul-template	CVE-2022-38149	HIGH	fixed	v0.0.0-20250724053005-80a4e25999b2+dirty	0.27.3, 0.28.3, 0.29.2	consul: Consul Template May Expose Vault Secrets When Processing Invalid Input
stdlib	CVE-2025-47907	HIGH	fixed	1.24.4	1.23.12, 1.24.6	database/sql: Postgres Scan Race Condition

[sreeram77]

CVE-2022-38149 seems to be an old issue that was fixed in 0.29.2 according to the report.

[Kisan-hpe]

Hi @sreeram77
Please check #2056 (comment), may be this is causing the issue.

Please prioritize a fix for this, as our CI is currently blocked

[sreeram77]

@Kisan-hpe Can you please confirm whether you are using the official release version? v0.0.0-20250724053005-80a4e25999b2+dirty looks like a pseudo version built locally from a commit.

[Kisan-hpe]

Hi @sreeram77 I’m using the official version in my Dockerfile shown below. You can run a Trivy scan against the latest version to see the same results.
FROM hashicorp/consul-template:0.41.1 AS consul-template

[Kisan-hpe]

Hi @sreeram77 Are you able to reproduce the same result, or have you already found a fix for this?

[sanikachavan5]

Hi @Kisan-hpe, we are checking the issue about CVE-2022-38149. However the other vulnerability fix is merged however not released. Will inform when that's released.

[Kisan-hpe]

@sanikachavan5 Any update on when the fix version will be released?

[Kisan-hpe]

Hi @sreeram77 Any updates on this issue? Our CI is blocked.

[sanikachavan5]

Hi Kisan, the release is planned with our September patch release. I'll notify once released.

[Kisan-hpe]

Hi @sreeram77 & @sanikachavan5 Any updates on this?

[sanikachavan5]

@Kisan-hpe please validate if the CVEs are fixed with the latest release.

[Kisan-hpe]

Hi @sreeram77
I can still see below CVE.
github.com/hashicorp/consul-template │ CVE-2022-38149 │ HIGH │ fixed │ v0.0.0-20250919100342-950f719fd53c+dirty │ 0.27.3, 0.28.3, 0.29.2

You can run trivy scan on latest image to get the result.