Skip to content

x/vulndb: potential Go vuln in github.com/aquasecurity/trivy: GHSA-q3fv-x8vg-qqm4 #5983

Description

@GoVulnBot

Advisory GHSA-q3fv-x8vg-qqm4 references a vulnerability in the following Go modules:

Module
github.com/aquasecurity/trivy

Description:

Summary

When Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

Affected configurations

Exploitation requires the attacker to place a crafted .tgz file in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:

Command Condition
trivy config <dir> Dir...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/aquasecurity/trivy
      versions:
        - fixed: 0.71.0
      vulnerable_at: 0.70.0
summary: 'Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser in github.com/aquasecurity/trivy'
cves:
    - CVE-2026-54448
ghsas:
    - GHSA-q3fv-x8vg-qqm4
references:
    - advisory: https://github.com/advisories/GHSA-q3fv-x8vg-qqm4
    - advisory: https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-54448
    - fix: https://github.com/aquasecurity/trivy/commit/441251e51ae46cbcf7f436547e0a5766b25328b4
    - fix: https://github.com/aquasecurity/trivy/pull/10718
    - web: https://github.com/aquasecurity/trivy/releases/tag/v0.71.0
source:
    id: GHSA-q3fv-x8vg-qqm4
    created: 2026-07-14T20:01:21.96282791Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions