CVEs in localstack/snowflake:latest - outdated Netty, Jetty, and Node dependencies (https://hub.docker.com/r/localstack/snowflake)

[dchirt]

Trivy scan of localstack/snowflake:latest (pulled 2026-05-19, debian forky/sid base) shows 7 HIGH-severity CVEs across bundled JARs and Node packages. The debian layer, Python, Go, and Rust binaries are clean.

HIGH findings:

Package	CVE	Installed	Fixed In
io.netty:netty-codec	CVE-2026-42583	4.1.127	4.1.133
io.netty:netty-codec-dns	CVE-2026-42579	4.1.127	4.1.133
io.netty:netty-codec-http	CVE-2026-42584	4.1.132	4.1.133
io.netty:netty-codec-http	CVE-2026-42587	4.1.132	4.1.133
io.netty:netty-codec-http2	CVE-2026-42587	4.1.132	4.1.133
org.eclipse.jetty:jetty-http	CVE-2026-2332	12.0.31	12.0.33
org.eclipse.jetty:jetty-server	CVE-2026-1605	12.0.31	12.0.32
picomatch	CVE-2026-33671	4.0.3	4.0.4

There are also 11 MEDIUM and 2 LOW findings (jackson-core, additional netty codecs, kotlin-stdlib, brace-expansion, fast-xml-parser, ip-address, picomatch).

Reproduction:

docker pull localstack/snowflake:latest
trivy image --format template --template "@/path/to/html.tpl" localstack/snowflake:latest

Ask: Bump Netty to 4.1.133+ and Jetty to 12.0.33+ in the next image build. The Node-side fixes (picomatch 4.0.4, brace-expansion 2.0.3) are also potential one-liners.

Full Trivy HTML report:

localstack.snowflake.latest.html

[purcell]

Hi @dchirt — the latest available patched netty and jetty are included in the v2026.5.0 release, which went out today. I also believe that the included picomatch and brace-expansion should be the latest versions.