Skip to content

CVE-2025-64720 (HIGH): detected in Lambda Docker Images. #367

New issue
New issue
Open
Open
CVE-2025-64720 (HIGH): detected in Lambda Docker Images.#367
@the-lambda-watchdog

Description

@the-lambda-watchdog
the-lambda-watchdog
opened on Jan 6, 2026

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2025-64720 HIGH libpng 2:1.5.13-8.amzn2.0.5 2:1.5.13-8.amzn2.0.6 2025-11-25T00:15:47.46Z 2026-01-06T10:18:25.304045589Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:al2 public.ecr.aws/lambda/provided@sha256:5191eb43a2bc33971e3f8bf86eca599b47850d45e891523c909389153419f891
public.ecr.aws/lambda/python:3.11 public.ecr.aws/lambda/python@sha256:6d65e3ca1ce9290c7ce5efedfc9d3c1f3338c82367223233c2096450a7a8c970
public.ecr.aws/lambda/python:3.10 public.ecr.aws/lambda/python@sha256:e1edc439fe12bbbabf75e8ebdad30dda045742ef9731f3cf1f1f40145ef2cdc0
public.ecr.aws/lambda/java:17 public.ecr.aws/lambda/java@sha256:013285fa766fce5ab479e102eda5a40cc26ce988e8b452efdd5d0aec3c31e029
public.ecr.aws/lambda/java:11 public.ecr.aws/lambda/java@sha256:3cd54e51d4d4de78172d0b73540aae79cb0219e6fea238ed7e767b505bf82927
public.ecr.aws/lambda/java:8.al2 public.ecr.aws/lambda/java@sha256:be58ea2453c19314ec7cae2c2ba5bc5969650b608532a2cb07a5e37b853c2ce7
public.ecr.aws/lambda/ruby:3.2 public.ecr.aws/lambda/ruby@sha256:8d217eaf3d3637ad0c02ff23ef2a2831b985c5119663e625949046befcf3380e

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Remediation Steps

  • Update the affected package libpng from version 2:1.5.13-8.amzn2.0.5 to 2:1.5.13-8.amzn2.0.6.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions