CVE-2025-10148 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2025-10148	MEDIUM	curl-minimal	8.11.1-4.amzn2023.0.1	8.15.0-4.amzn2023.0.1	2025-09-12T06:15:40.02Z	2026-01-08T10:18:24.928848896Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:eb9e9e4a729d9b196467f8728f0a22530b38de43ec0b9b233414a1d668b0e4cd
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:eb9e9e4a729d9b196467f8728f0a22530b38de43ec0b9b233414a1d668b0e4cd
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:da91b03913bc525dbee8755fac06469337038504769f1167be2951d8444e2b13
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:834867e65287508faae9d0706181e3e5c72fe8d9b99319c6ab1096ce1494c4a4
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:da91b03913bc525dbee8755fac06469337038504769f1167be2951d8444e2b13
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:16139e0db9a15234bcb2956bc8e4fa41eb8529af3f78f3eaba4aa9ce987f2f68
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:7c0f198924ea29e201d4d44ffc8f97c6ec7be3bf7b91c848939e5c2eeff6d43c
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:9d7dcad6de2f4bb85f65af1d70d14c936c671b0541a49566a2b5d3db51195b03
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:7c0f198924ea29e201d4d44ffc8f97c6ec7be3bf7b91c848939e5c2eeff6d43c
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:c9db858f1061d1662d081a7d3fe30e1c9cf8dd4eb658f60ab34cc8ebe8f939a0
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:a9b13203dc78d1350ba83eb376eb2513967cbd50e66e8149e49bacc54963b7da
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:a4121f47bd5eb241f5eaaa1d45fcb7b6f36ad81e100001185c9aa82f5a675933
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:a9b13203dc78d1350ba83eb376eb2513967cbd50e66e8149e49bacc54963b7da
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:c52688e51efa796c3222e8be649c1e5449f0ed3d48f2d90066907fd93655dc42
public.ecr.aws/lambda/dotnet:10-preview	public.ecr.aws/lambda/dotnet@sha256:584834e1d9e0b7bb96216f1483ae7e96bb544d75d8d4274bdbdbd0b16e3747ff
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:c52688e51efa796c3222e8be649c1e5449f0ed3d48f2d90066907fd93655dc42
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:306213c3a793ff21989d715e3cecd9a7e81e2e23c577b2ffac5607a3d507c948
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:1c313b72d044bdb893cad3f22c0008b6a7caaf35bc80f5e2db6537f626bdf505
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:1c313b72d044bdb893cad3f22c0008b6a7caaf35bc80f5e2db6537f626bdf505
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:638473bcb8bf04bc78fcf5d3274f59145eb030c8b159fe4a9ffcb459f3454f2c

---

Description

curl's websocket code did not update the 32 bit mask pattern for each new
outgoing frame as the specification says. Instead it used a fixed mask that
persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic
between the two communicating parties that could be interpreted by an involved
proxy (configured or transparent) as genuine, real, HTTP traffic with content
and thereby poison its cache. That cached poisoned content could then be
served to all users of that proxy.

---

Remediation Steps

• Update the affected package curl-minimal from version 8.11.1-4.amzn2023.0.1 to 8.15.0-4.amzn2023.0.1.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.