Security report: critical/high CVEs in latest image

[Railsimulatornet]

Hi, and thanks for maintaining this image.

I ran a Trivy scan against itzg/minecraft-bedrock-server:latest in my environment and wanted to report that the current latest image appears to contain multiple critical/high vulnerabilities in container packages.

At minimum, the scan reports this critical finding for the image:

• CVE-2025-68121
• package: stdlib
• severity: CRITICAL
• fix versions reported by the scanner: 1.24.13, 1.25.7, 1.26.0-rc.3

The scan also reports additional critical/high findings in the image, so this does not look like a single isolated result.

I understand that scanner findings do not automatically mean every issue is exploitable in the real runtime path. However, since this image is often used for publicly reachable Bedrock servers, and at least one critical finding already has a reported fix available, I thought it would be worth flagging.

Would you mind reviewing the current base image / dependency state and rebuilding or refreshing the image if appropriate?

If helpful, I can also provide the full Trivy output for this image.

Thanks again.

[itzg]

Yes the full report would be helpful especially if it indicates what executables are potentially affected by that. "stdlib" is not specific enough to address.

[Railsimulatornet]

Thanks, I checked the related helper repos more closely and I think I can narrow this down further.

At this point, I do not think this should be treated as “all bundled helper binaries need updates”.

From the current image Dockerfile, these are the pinned helper tools involved:

• EASY_ADD_VERSION=0.8.11
• ENTRYPOINT_DEMOTER_VERSION=0.4.9
• SET_PROPERTY_VERSION=0.1.5

From my scan output, the affected target paths were:

• /usr/bin/easy-add
• /usr/local/bin/set-property
• /usr/local/bin/entrypoint-demoter

However, after checking the related helper repos more closely:

• easy-add may already be fine, since the currently pinned version is already 0.8.11 and the latest release notes mention an upgrade to Go 1.24.4
• entrypoint-demoter may also already be fine, since the currently pinned version is already v0.4.9 and the latest release notes mention an upgrade to Go 1.25.1
• set-property is the one that currently looks most likely to still need work, because this image still pins SET_PROPERTY_VERSION=0.1.5, while the set-property repository currently shows go 1.23.6 in go.mod

So the most likely concrete fix is not “update everything”, but rather:

1. Verify which of these three bundled helper binaries still carries the vulnerable Go stdlib

   • /usr/bin/easy-add
   • /usr/local/bin/set-property
   • /usr/local/bin/entrypoint-demoter

2. Most likely, rebuild and release a newer set-property binary with an updated Go toolchain that includes the relevant stdlib fixes

3. Then bump SET_PROPERTY_VERSION in this Dockerfile

4. Rebuild and republish itzg/minecraft-bedrock-server:latest

So the likely change needed here is:

• check the build info of the three bundled helper binaries
• confirm which one still embeds the vulnerable stdlib
• most likely update set-property
• then refresh the image

If helpful, I can also share the exact scan excerpt again.

[itzg]

Thanks, very helpful. Those three are mine and I was indeed due for a Go upgrade on that and was already getting flagged by a vuln check on those.

[itzg]

Next build will include all the upgraded dependencies.