CBDQ-IO GitChangelog Container Image Harbors Critical OpenSSL Flaw, Multiple Medium Vulnerabilities

A critical OpenSSL vulnerability (CVE-2025-15467) has been identified within the official `ghcr.io/cbdq-io/gitchangelog:0.1.2` container image, exposing downstream users to potential security risks. The flaw, rated CRITICAL, resides in the `libcrypto3` library version 3.5.1-r0, with a patched version available at 3.5.5-r0. This discovery, flagged by the Trivy security scanner, signals a significant exposure point for any system or pipeline deploying this specific version of the CBDQ-IO tool.

The scan reveals a cluster of four distinct vulnerabilities embedded in the image's core components. Alongside the critical OpenSSL issue, the image contains two instances of a MEDIUM-severity flaw (CVE-2024-58251) in the BusyBox package and its `busybox-binsh` component, and an additional MEDIUM vulnerability (CVE-2025-62408) in the `c-ares` DNS library. All affected packages are outdated, with fixed versions clearly documented (BusyBox 1.37.0-r20, c-ares 1.34.6-r0), indicating the image has not been rebuilt with recent security patches.

This finding places immediate pressure on CBDQ-IO to release a patched version of its GitChangelog image and prompts scrutiny for organizations that have integrated this tool into their CI/CD or development workflows. The presence of a critical library flaw in a software supply chain component raises the risk of exploitation if the container is deployed in a vulnerable configuration. Users are advised to review their dependencies and consider temporary mitigations or alternative tools until an official update is published.