Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-65965

Grype has a credential disclosure vulnerability in its JSON output
Back to all
CVE

CVE-2025-65965

Grype has a credential disclosure vulnerability in its JSON output

A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.

Impact

In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.

Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].usernameregistry.auth[].passwordregistry.auth[].token) or environment variables (e.g., GRYPEREGISTRYAUTH_USERNAMEGRYPEREGISTRYAUTH_PASSWORDGRYPEREGISTRYAUTH_TOKEN).

In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.

The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.

Patches

The patch has been released in v0.104.1.

Workaround

Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

For example, replacing the command:

## using `--output json=path` (or `--file`) leaks credentials
grype --output json=test.json alpine:latest

with

## no use of `--output json=path` or `--file`. Output is sanitized...
grype --output json alpine:latest > test.json

...results in the same test.json output, but the credentials will be properly sanitized.

Resources

Patch pull request: https://github.com/anchore/grype/pull/3068

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
6.2
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646, https://nvd.nist.gov/vuln/detail/CVE-2025-65965, https://github.com/anchore/grype/pull/3068, https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1, https://github.com/anchore/grype/commit/c99f79de49a58dc16d7fd8f35160b169b87db9de, https://github.com/anchore/grype

Severity

6.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.2
EPSS Probability
0.00018%
EPSS Percentile
0.04%
Introduced Version
0.68.0,v0.0.0-20230911191006-02d513e8e862,v0.68.0
Fix Available
0.104.1,v0.0.0-20251124153429-39f7fa17af27,v0.104.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading