Docker image contains critical CVEs from outdated Debian base image

**Description:**
When scanning the official mockserver/mockserver:5.15.0 Docker image, we discovered multiple Critical vulnerabilities in system libraries that come from the Debian 11.6 base image.

**Details:**

Base image: Debian 11.6 (from openjdk / temurin layer)

Scanner: Trivy

**Detected CVEs:**

- CVE-2024-45491 (libexpat)
- CVE-2024-45492 (libexpat)
- CVE-2023-45853 (zlib)

**Impact:**
These vulnerabilities are not in MockServer’s Java code, but in the underlying OS packages included in the Docker image. This means downstream users inherit these CVEs when pulling the official image.

**Suggested fix:**

- Update the Dockerfile to use a newer base image (e.g., Debian 11.7 or latest Temurin JRE with security patches).
- Optionally consider using a smaller / maintained base (e.g., Alpine or Distroless).
****
Evidence:

<img width="1146" height="544" alt="Image" src="https://github.com/user-attachments/assets/d3b3d280-7ec3-49cd-ba70-40737e00aa87" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Docker image contains critical CVEs from outdated Debian base image #1956

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Docker image contains critical CVEs from outdated Debian base image #1956

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions