CVE-2025-58050 Medium/Critical Vulnerability: pcre2

[mil7]

Bug Overview

Hi there,
we currently stumble over prce2's already fixed vulnerability CVE-2025-58050, which is "only" MEDIUM for CVSS 4.0 but CRITICAL for CVSS 3.1. The latter is still enforced at some places.

The vulnerability is known in the latest Image of nginx-alpine.

Thanks for handling this vulnerability 💐

Expected Behavior

CVE-2025-58050 is fixed because prce2 up-to-date.

Steps to Reproduce the Bug

https://hub.docker.com/layers/library/nginx/1.29.2-alpine/images/sha256-c17e49b2e5cf2a4523284e2b446f3829088a233b27f12333ab13546bc177d8c7

Environment Details

• Docker Desktop & Server
• Version of the Docker NGINX image or specific commit: https://hub.docker.com/layers/library/nginx/1.29.2-alpine/images/sha256-c17e49b2e5cf2a4523284e2b446f3829088a233b27f12333ab13546bc177d8c7
• Target deployment platform: OpenShift
• Target OS: https://hub.docker.com/layers/library/nginx/1.29.2-alpine/images/sha256-c17e49b2e5cf2a4523284e2b446f3829088a233b27f12333ab13546bc177d8c7

Additional Context

No response

[lisotton]

Alpine already fixed in it's image, I think if the Nginx images based on Alpine were only rebuilt, the issue will be fixed in Nginx images.

Can some maintainer trigger the building of the images?

[mil7]

https://hub.docker.com/layers/library/nginx/1.29.3-alpine/images/ is out now with many vulnerabilities including this one fixed.

Not sure about versioning https://github.com/nginx/docker-nginx/tags or hierarchy though. 😅

[yosifkit]

The new images are correct. The new version was added to the Dockerfiles by the maintainer in #1006. And then that change was given to Docker Official Images to be built and pushed to Docker Hub in docker-library/official-images#20177.

Since the system packages are now up-to-date, this can be closed.

[thresheek]

I've also pushed a new tag to this repo to reflect the change in #1006

Thank you