Known upstream vulnerabilities in Alpine BusyBox base image

[Cod-e-Codes]

Note: Dockerfile now auto-updates Alpine packages during build, so these CVEs
will be resolved automatically once upstream fixes are released.

Summary

Security scans of marchat Docker images show the following low-severity CVEs from the Alpine base image's BusyBox package. These are not vulnerabilities in marchat, but in upstream Alpine's BusyBox.

CVEs:

• CVE-2025-46394 (BusyBox ≤1.37.0-r13) — CVSS 3.2 (Low)
• CVE-2024-58251 (BusyBox ≤1.37.0-r13) — CVSS 2.5 (Low)

Status

These vulnerabilities are present in Alpine 3.21 and 3.22 as of August 26, 2025. Fixes will be applied upstream by the Alpine maintainers.

Impact

• Low severity
• No known exploit in marchat context
• Applies only to Docker builds using Alpine base images

Plan

• Future Docker builds will automatically update all Alpine packages at build time
  using apk upgrade --no-cache to pull in patched BusyBox versions when available
• No manual Dockerfile changes are needed for future CVE fixes
• Rebuild and push images regularly to ensure latest upstream security patches are applied

References

• CVE-2025-46394 details
• CVE-2024-58251 details