Trivy Scan Exposes Critical Vulnerability in CBDQ-IO's GitChangelog Docker Image

A Trivy security scan has flagged a critical vulnerability within the official `ghcr.io/cbdq-io/gitchangelog:0.1.2` Docker image, exposing a potential attack vector for users of this popular changelog generation tool. The scan identified CVE-2025-15467 in the `libcrypto3` library, rated as CRITICAL, alongside multiple MEDIUM-severity flaws in the `busybox` and `c-ares` packages. These vulnerabilities, if exploited, could compromise container security and the integrity of systems running this image.

The scan results, posted as a GitHub issue, detail specific outdated package versions that are the root cause. The critical OpenSSL-related vulnerability (CVE-2025-15467) exists in version 3.5.1-r0 of `libcrypto3`, with a patched fix available in version 3.5.5-r0. Similarly, the `busybox` and `c-ares` packages contain known CVEs (CVE-2024-58251 and CVE-2025-62408) for which fixed versions have been publicly released. This indicates the container image is built with outdated, vulnerable components, a common but significant security oversight in software supply chains.

This discovery places immediate pressure on CBDQ-IO to release a patched version of its GitChangelog image. For developers and organizations that have integrated this tool into their CI/CD pipelines, the findings necessitate urgent action to either update dependencies, rebuild the image, or seek alternative solutions. The presence of a critical vulnerability in a core cryptographic library elevates the risk profile, signaling that automated dependency management and regular security scanning are non-negotiable for maintaining secure DevOps practices.