CVE-2025-49796 (HIGH): detected in Lambda Docker Images. #312
Description
CVE Details
| CVE ID | Severity | Affected Package | Installed Version | Fixed Version | Date Published | Date of Scan |
|---|---|---|---|---|---|---|
| CVE-2025-49796 | HIGH |
libxml2 |
2.10.4-1.amzn2023.0.11 |
2.10.4-1.amzn2023.0.12 |
2025-06-16T16:15:19.37Z |
2025-07-30T10:18:06.667966562Z |
Affected Docker Images
| Image Name | SHA |
|---|---|
public.ecr.aws/lambda/provided:latest |
public.ecr.aws/lambda/provided@sha256:5c7e82ab6d0787ebb88122b52442dfccfc0e26013c9797e151be7823f0694a8f |
public.ecr.aws/lambda/provided:al2023 |
public.ecr.aws/lambda/provided@sha256:5c7e82ab6d0787ebb88122b52442dfccfc0e26013c9797e151be7823f0694a8f |
public.ecr.aws/lambda/python:latest |
public.ecr.aws/lambda/python@sha256:680ad407e7cfdf666443d7bbeba313c143a39778dcdcadac17f7e5a857c5130c |
public.ecr.aws/lambda/python:3.13 |
public.ecr.aws/lambda/python@sha256:680ad407e7cfdf666443d7bbeba313c143a39778dcdcadac17f7e5a857c5130c |
public.ecr.aws/lambda/python:3.12 |
public.ecr.aws/lambda/python@sha256:455f1bbbd1d4cb6d68b159ac3ea46d8ecb59f90e8171756be2eb21a521b25cb8 |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:c297308f62470f1fc04e38a473f6abb174b31f5ba00f5733de9314d7c655d76b |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:c297308f62470f1fc04e38a473f6abb174b31f5ba00f5733de9314d7c655d76b |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:bca0ec79534054efee484f00d2daf079c5c390814b9b47300b37344ace63d7e7 |
public.ecr.aws/lambda/java:latest |
public.ecr.aws/lambda/java@sha256:5815d45e4d735a8e71aee343ddd138f3cb368b0452994839d04401082a63e58f |
public.ecr.aws/lambda/java:21 |
public.ecr.aws/lambda/java@sha256:5815d45e4d735a8e71aee343ddd138f3cb368b0452994839d04401082a63e58f |
public.ecr.aws/lambda/dotnet:latest |
public.ecr.aws/lambda/dotnet@sha256:9009e2c6f46e28a6ec49dc0c18e5a913ac1c0a6eff6f7fcb0df12681bdffd69d |
public.ecr.aws/lambda/dotnet:9 |
public.ecr.aws/lambda/dotnet@sha256:9009e2c6f46e28a6ec49dc0c18e5a913ac1c0a6eff6f7fcb0df12681bdffd69d |
public.ecr.aws/lambda/dotnet:8 |
public.ecr.aws/lambda/dotnet@sha256:8d6b7cb98ef74415c0c93e6cfb81f3a7a69c8e0ada0dcd2955d5dbbf710e0a95 |
public.ecr.aws/lambda/ruby:latest |
public.ecr.aws/lambda/ruby@sha256:6c7946b3317c64f196d1e76cfd4051d6343f2109191e4cb8c3501d4871023725 |
public.ecr.aws/lambda/ruby:3.4 |
public.ecr.aws/lambda/ruby@sha256:6c7946b3317c64f196d1e76cfd4051d6343f2109191e4cb8c3501d4871023725 |
public.ecr.aws/lambda/ruby:3.3 |
public.ecr.aws/lambda/ruby@sha256:05955c5a65c6cc87c054a7ff40aa589c486ce34e1e7af5a693606d1e3cd05e8f |
Description
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
Remediation Steps
- Update the affected package
libxml2from version2.10.4-1.amzn2023.0.11to2.10.4-1.amzn2023.0.12.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.