Princeton Library's ImageCat Rails Project Exposes Multiple Dependencies with Unpatched Vulnerabilities

A routine container security scan for Princeton University Library's ImageCat Rails project has flagged multiple unpatched vulnerabilities in its software dependencies, revealing a latent security risk in a critical academic digital asset. The automated Trivy scan, which failed to pass, identified six distinct vulnerabilities across Ruby gems and npm packages, including a high-severity flaw in the `picomatch` library (GHSA-c2c7-rcm5-vvqj). The project's current versions of `net-imap`, `picomatch`, `resolv`, `rexml`, and `uri` all lag behind the patched releases that would resolve these security issues.

The failure is documented in a public GitHub Actions run for the `pulibrary/imagecat-rails` repository. The detailed output lists each vulnerable component, its installed version, the fixed version, and a calculated risk score. While the EPSS (Exploit Prediction Scoring System) percentages for most vulnerabilities are low—indicating a lower probability of immediate exploitation—the presence of a high-severity finding and multiple medium-severity issues creates a tangible attack surface. The project's reliance on these outdated packages leaves it exposed to potential exploits detailed in the corresponding GitHub Security Advisories.

This incident underscores the persistent challenge of dependency management in open-source software stacks, even within institutional projects. For a university library system managing digital collections, such vulnerabilities could pose a risk to data integrity and system availability if left unaddressed. The public nature of the failed scan log also serves as a signal to both maintainers and potential malicious actors, increasing the urgency for the development team to review and update the project's dependencies to mitigate the identified security gaps.