CBDQ-IO GitChangelog Container Image Harbors Critical OpenSSL Vulnerability

A critical vulnerability in the OpenSSL library has been identified within a publicly available container image from CBDQ-IO, exposing downstream software supply chains to potential compromise. The automated security scan of the `ghcr.io/cbdq-io/gitchangelog:0.1.2` Docker image flagged CVE-2025-15467 as CRITICAL, stemming from an outdated `libcrypto3` package (version 3.5.1-r0). This flaw, for which a fixed version (3.5.5-r0) exists, represents a severe risk to any system or application built upon this container base.

The scan, performed by the Trivy vulnerability scanner, details a cluster of security issues beyond the critical OpenSSL flaw. The image also contains multiple instances of CVE-2024-58251 (rated MEDIUM) in the `busybox` and `busybox-binsh` packages, and CVE-2025-62408 (MEDIUM) in the `c-ares` library. All identified vulnerabilities have documented fixes in newer package versions, indicating the container has not been updated to incorporate essential security patches. The `gitchangelog` tool, used for generating changelogs from git metadata, is now a potential vector for exploitation if its container runtime is not properly isolated or updated.

This finding places immediate pressure on CBDQ-IO to release a patched image version and alerts all organizations that have integrated this container into their CI/CD pipelines or deployment environments. The presence of a critical cryptographic library vulnerability elevates the risk profile significantly, potentially enabling remote code execution or data interception. It underscores the persistent security debt in container ecosystems, where base images can propagate unpatched flaws across countless deployments, demanding rigorous and continuous vulnerability management practices from maintainers and consumers alike.