Skip to content

Vulnerability in redocly/redoc docker images v2.4 & v2.5 #2706

New issue
New issue
Open
Open
Vulnerability in redocly/redoc docker images v2.4 & v2.5#2706
Labels
Type: Bug
@TKramerLenze

Description

@TKramerLenze
TKramerLenze
opened on Jul 30, 2025

Hi,

Describe the bug
CVE-2025-4947 clearly states that libcurl mistakenly bypasses certificate verification for QUIC connections when a host is specified as an IP address in the URL. It is clear that this system does not detect impostors or man-in-the-middle attacks. (https://curl.se/docs/CVE-2025-4947.html)

The docker image redocly/redoc in version 2.4 uses libcurl version 8.11.1 and is affected by the mentioned vulnerability. It is clear that version 2.5 uses libcurl 8.12.1, which is also affected by the vulnerability.

Expected behavior
Docker image version 2.5 or a new one will be published with an unaffected libcurl library.

Minimal reproducible OpenAPI snippet(if possible)

Screenshots

Additional context
Could you check, and if you can, publish the next version of your Docker image with an unaffected libcurl library?

Thank you!

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type: Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions