Improper Removal of Sensitive Information Before Storage or Transfer in github.com/anchore/grype/cmd/grype/cli/commands | CVE-2025-65965

Q: How to fix?

Upgrade github.com/anchore/grype/cmd/grype/cli/commands to version 0.104.1 or higher.

Introduced: 25 Nov 2025

NewCVE-2025-65965 (opens in a new tab) CWE-212 (opens in a new tab)

How to fix?

Upgrade github.com/anchore/grype/cmd/grype/cli/commands to version 0.104.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the form of registry credentials in JSON output files. When registry authentication is configured, an attacker can obtain registry credentials or other values (e.g. registry.auth[].password) by using the --file or --output json=<file> options, even if the credentials are not in use.

A malformed Grype Template could also theoretically be subject to this vulnerability, in Descriptor.Registry.Auth fields.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Removal of Sensitive Information Before Storage or Transfer Affecting github.com/anchore/grype/cmd/grype/cli/commands package, versions >=0.68.0 <0.104.1

Severity

Do your applications use this vulnerable package?

Introduced: 25 Nov 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk