Anchore Grype is a widely used open-source vulnerability scanner for container images and filesystems. CVE-2025-65965 is a vulnerability classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) that affects Grype versions from 0.68.0 up to but not including 0.104.1. The issue arises when users define registry credentials for scanning private container registries and then generate scan reports using the --file or --output json=<file> options. Instead of sanitizing or redacting these sensitive credentials, Grype includes them verbatim in the output JSON files. This results in credential leakage if the output files are stored, shared, or accessed by unauthorized parties. The vulnerability does not require any authentication or user interaction to be exploited, and it can be triggered simply by running Grype with the vulnerable output options. The CVSS 4.0 score is 8.2 (high severity), reflecting the high confidentiality impact and ease of exploitation via local access. The flaw has been addressed in Grype version 0.104.1, which properly sanitizes credentials in output files. Until patching, users can mitigate risk by redirecting standard output to files instead of using the vulnerable output flags, preventing credentials from being embedded in output files. No known exploits have been reported in the wild as of now. This vulnerability is critical for organizations relying on Grype for container security, especially those scanning private registries with sensitive credentials.

For European organizations, this vulnerability poses a significant risk to the confidentiality of container registry credentials. Leakage of these credentials could allow attackers to access private container images, potentially leading to unauthorized deployment of malicious containers, data exfiltration, or lateral movement within the network. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, could face regulatory and reputational damage if such credentials are exposed. The vulnerability affects the integrity of the container supply chain by undermining trust in vulnerability scanning processes. Additionally, compromised registry credentials could facilitate further attacks on cloud environments or CI/CD pipelines. Since Grype is commonly used in DevOps and security workflows, the scope of affected systems can be broad, impacting multiple teams and environments. The ease of exploitation without authentication increases the urgency for remediation. Overall, the vulnerability could disrupt secure container deployment practices and expose sensitive operational secrets.

1. Immediately upgrade Anchore Grype to version 0.104.1 or later, where the vulnerability is patched. 2. Until upgrading, avoid using the --file or --output json=<file> options when running Grype scans with registry credentials; instead, redirect stdout to a file to prevent credentials from being embedded in output files. 3. Audit existing Grype output files generated with vulnerable versions for leaked credentials and rotate any exposed registry credentials promptly. 4. Implement strict access controls and encryption on storage locations containing Grype output files to minimize exposure risk. 5. Integrate secrets management solutions to avoid embedding credentials directly in scanning configurations or environment variables. 6. Review and harden CI/CD pipeline permissions to limit the impact of any leaked credentials. 7. Monitor logs and network traffic for unusual access patterns to container registries that could indicate credential misuse. 8. Educate DevOps and security teams about secure usage of vulnerability scanners and proper handling of sensitive output data.