Vulnerablities in node-cache version 1.26.5

[K-Cuttler]

A few vulnerabilities are present in the mentioned version, information is below:

           PACKAGE             TYPE   VERSION   SUGGESTED FIX  CRITICAL  HIGH  MEDIUM  LOW  NEGLIGIBLE  EXPLOIT  
  github.com/coredns/coredns  golang  v1.12.2      v1.12.4        0       1      0      0       0          0     
  k8s.io/kubernetes           golang  v1.30.12    v1.31.12        0       0      3      0       0          0 

Coredns is associated with: CVE-2025-58063 and Kubernetes with CVE-2025-5187. A fix in HEAD is available for the Kubernetes version but not the coredns version. Coredns has releases an upstream version: v1.12.4 that fixes the vulnerability.

[Michcioperz]

I just want to point out that in the context of k/dns both of these should be false positives. CoreDNS's CVE-2025-58063 is concerned with the etcd plugin that is not being built in. And the only component of k8s.io/kubernetes used by this repo (as seen in https://github.com/kubernetes/dns/tree/master/vendor/k8s.io/kubernetes) is the tiny iptables library, so the CVE which relates to the behavior of kube-apiserver is also not relevant.

[K-Cuttler]

I just want to point out that in the context of k/dns both of these should be false positives. CoreDNS's CVE-2025-58063 is concerned with the etcd plugin that is not being built in. And the only component of k8s.io/kubernetes used by this repo (as seen in https://github.com/kubernetes/dns/tree/master/vendor/k8s.io/kubernetes) is the tiny iptables library, so the CVE which relates to the behavior of kube-apiserver is also not relevant.

I appreciate the clarification, that meshes with my initial investigation as well. Thank you!

[sidewinder12s]

Might try re-scanning with the just released image: #728