You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## 📝 Description
Trivy image scan discovered
[CVE-2025-4565](https://nvd.nist.gov/vuln/detail/CVE-2025-4565) in the
Controller image. The protobuf package is pulled in indirectly by vdms.
The proper fix requires protobuf dependency update in the vdms and vdms
upgrade on our side. Looking at the
[vdms](https://github.com/IntelLabs/vdms) repo we can see both the
IntelLabs/vdms#298 issue and the
IntelLabs/vdms#299 PR which are not resolved
since Jun 17.
This PR overrides the protobuf package after vdms installation. Minor
version upgrade is expected to be backward compatible, hence it should
be safe to upgrade. That said it requires running regression tests on
our end to make sure everything is still working fine.
```
$ trivy image scenescape-controller:1.4.0-rc1 -s CRITICAL,HIGH
...
Python (python-pkg)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬─────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼─────────────────────────────────────────────────────────┤
│ protobuf (METADATA) │ CVE-2025-4565 │ HIGH │ fixed │ 4.24.2 │ 4.25.8, 5.29.5, 6.31.1 │ python-protobuf: Unbounded recursion in Python Protobuf │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-4565 │
└─────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴─────────────────────────────────────────────────────────┘
```
```
$ docker run --entrypoint python3 -it --rm scenescape-controller-test:1.4.0-rc1 -m pipdeptree --reverse --packages protobuf
------------------------------------------------------------------------
protobuf==4.24.2
└── vdms==0.0.21 [requires: protobuf==4.24.2]
```
## ✨ Type of Change
Select the type of change your PR introduces:
- [ ] 🐞 **Bug fix** – Non-breaking change which fixes an issue
- [ ] 🚀 **New feature** – Non-breaking change which adds functionality
- [ ] 🔨 **Refactor** – Non-breaking change which refactors the code base
- [ ] 💥 **Breaking change** – Changes that break existing functionality
- [ ] 📚 **Documentation update**
- [x] 🔒 **Security update**
- [ ] 🧪 **Tests**
- [ ] 🚂 **CI**
## 🧪 Testing Scenarios
Describe how the changes were tested and how reviewers can test them
too:
- [ ] ✅ Tested manually
- [ ] 🤖 Ran automated end-to-end tests
## ✅ Checklist
Before submitting the PR, ensure the following:
- [ ] 🔍 PR title is clear and descriptive
- [ ] 📝 For internal contributors: If applicable, include the JIRA
ticket number (e.g., ITEP-123456) in the PR **title**. Do **not**
include full URLs
- [ ] 💬 I have commented my code, especially in hard-to-understand areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ✅ I have added tests that prove my fix is effective or my feature
works
---------
Co-authored-by: Sarat Poluri <[email protected]>
Co-authored-by: Sarthak Deva <[email protected]>
0 commit comments