Vulnerabilities in usr/bin/jaz (gobinary)

[gonpinho]

Hi everyone,

While running our container image scanning pipeline with trivy, we discovered that mcr.microsoft.com/openjdk/jdk:25-distroless ships with a go binary (usr/bin/jaz) built against a vulnerable version of the go stdlib (v1.25.7).

┌──────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
│                            Target                            │    Type    │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ mcr.microsoft.com/openjdk/jdk:25-distroless (azurelinux 3.0) │ azurelinux │        0        │    -    │
├──────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ usr/bin/jaz                                                  │  gobinary  │        3        │    -    │
└──────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


usr/bin/jaz (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2026-25679 │ HIGH     │ fixed  │ v1.25.7           │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-27142 │ MEDIUM   │        │                   │                │ html/template: URLs in meta content attribute actions are   │
│         │                │          │        │                   │                │ not escaped in html/template...                             │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Would it be possible to rebuild usr/bin/jaz using go >= 1.25.8 or >= 1.26.1 and publish an updated image?

[karianna]

Thanks for your report, this has been passed onto the appropriate folks internally.

[brianjstafford]

@gonpinho, we will publish updated container images on Wednesday with these security issues addressed. Please try those out and let us know if you see any other issues. Thanks!