Skip to content

Request for update to address multiple critical vulnerabilities in wodby/php:8.4 #215

Open
Open
Request for update to address multiple critical vulnerabilities in wodby/php:8.4#215
@dhaley

Description

@dhaley
dhaley
opened on Mar 4, 2026

Hi Wodby fellows,

We use the wodby/php:8.4 image in production environments.

There are multiple critical and high-severity vulnerabilities in the current version of wodby/php with CVE-2026-25794 being actively exploited.

Security Vulnerabilities in PHP 8.4 Alpine Image

AWS Inspector has identified multiple critical and high severity vulnerabilities in the wodby/php:8.4 image (Alpine Linux 3.23).

Summary

  • Total Vulnerabilities: 31
  • Critical: 7
  • High: 14
  • Medium: 10

Critical Vulnerabilities (CVSS 9.0+)

ImageMagick 7.1.2.13 → 7.1.2.15-r0

  1. CVE-2026-25971 (CVSS 9.8) - Stack overflow from circular MSL references
  2. CVE-2026-25897 (CVSS 9.8) - Integer overflow in sun decoder leading to heap write
  3. CVE-2026-25898 (CVSS 9.1) - Global buffer overflow in UIL/XPM encoder
  4. CVE-2026-25987 (CVSS 9.1) - Heap buffer over-read in MAP decoder
  5. CVE-2026-25968 (CVSS 9.8) - Stack buffer overflow in MSL attribute processing
  6. CVE-2026-25986 (CVSS 9.8) - Heap buffer overflow in YUV 4:2:2 image reader
  7. CVE-2026-25983 (CVSS 9.8) - Heap use-after-free in MSL script parser

High Severity Vulnerabilities (CVSS 7.0-8.9)

ImageMagick 7.1.2.13 → 7.1.2.15-r0

  1. CVE-2026-25988 (CVSS 7.5) - Memory leak in MSL stack index handling
  2. CVE-2026-25970 (CVSS 7.5) - Integer overflow in SIXEL decoder
  3. CVE-2026-25794 (CVSS 8.2) - Integer overflow in UHDR writer Exploit Available
  4. CVE-2026-26283 (CVSS 7.5) - Infinite loop in JPEG encoder
  5. CVE-2026-26066 (CVSS 7.5) - Infinite loop in IPTCTEXT writer
  6. CVE-2026-25989 (CVSS 7.5) - Off-by-one in SVG processing
  7. CVE-2026-25967 (CVSS 7.5) - Stack buffer overflow in FTXT reader
  8. CVE-2026-24485 (CVSS 7.5) - Infinite loop in PCD decoder
  9. CVE-2026-25966 (CVSS 7.8) - Security policy bypass via fd: pseudo-filenames
  10. CVE-2026-25985 (CVSS 7.5) - Memory exhaustion in SVG processing
  11. CVE-2026-25798 (CVSS 7.5) - NULL pointer dereference in ClonePixelCacheRepository
  12. CVE-2026-25969 (CVSS 7.5) - Memory leak in ASHLAR writer
  13. CVE-2026-25795 (CVSS 7.5) - NULL pointer dereference in SFW reader
  14. CVE-2026-27798 (CVSS 7.1) - Heap buffer over-read in wavelet-denoise operator

Medium Severity Vulnerabilities (CVSS 4.0-6.9)

ImageMagick 7.1.2.13 → 7.1.2.15-r0

  1. CVE-2026-25982 (CVSS 6.5) - Heap out-of-bounds read in DICOM decoder
  2. CVE-2026-25638 (CVSS 5.3) - Memory leak in MSL writer
  3. CVE-2026-25637 (CVSS 5.3) - Memory leak in ASHLAR writer
  4. CVE-2026-24484 (CVSS 5.3) - DoS via nested MVG to SVG conversions
  5. CVE-2026-25797 (CVSS 5.3) - PostScript/HTML injection in encoders
  6. CVE-2026-25576 (CVSS 5.5) - Heap buffer over-read in raw image formats
  7. CVE-2026-27799 (CVSS 4.4) - Integer truncation in DJVU handler

golang.org/x/net v0.38.0 → v0.45.0

  1. CVE-2025-58190 (CVSS 5.3) - Infinite parsing loop in html.Parse
  2. CVE-2025-47911 (CVSS 5.3) - Quadratic parsing complexity in html.Parse

Remediation

ImageMagick: Upgrade from 7.1.2.13-r0 to 7.1.2.15-r0

apk update && apk upgrade imagemagick

golang.org/x/net: Upgrade from v0.38.0 to v0.45.0 in /usr/bin/newrelic-daemon

References

Priority

This issue should be addressed urgently due to:

  • 7 critical vulnerabilities with CVSS scores of 9.0+
  • 1 vulnerability with known exploit in the wild (CVE-2026-25794)
  • Multiple memory corruption and DoS vulnerabilities

Detected by AWS Inspector on March 3, 2026

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions