Anchore Grype is a widely used open-source vulnerability scanner for container images and filesystems, integral to many DevOps and container security pipelines. CVE-2025-65965 is a vulnerability classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) affecting Grype versions from 0.68.0 up to but not including 0.104.1. The flaw occurs when registry credentials, if configured, are embedded unsanitized in output files generated by the --file or --output json=<file> options. This means that sensitive authentication tokens or passwords used to access container registries can be inadvertently exposed in scan result files. The vulnerability does not require any authentication or user interaction to exploit, but the attack vector is local (AV:L), meaning an attacker or user with local access to the system running Grype can trigger the leakage. The impact on confidentiality is high since registry credentials can allow unauthorized access to container images, potentially leading to further compromise or data theft. Integrity and availability impacts are not present. The issue has been fixed in version 0.104.1, where output sanitization was improved to remove sensitive data before writing to files. Until patching, users can mitigate risk by redirecting standard output (stdout) to a file instead of using the vulnerable output options, which do not sanitize credentials. No known exploits are currently reported in the wild. The vulnerability was published on November 25, 2025, and carries a CVSS 4.0 score of 8.2, indicating high severity.

For European organizations, this vulnerability poses a significant risk to the confidentiality of container registry credentials, which are critical for secure container image management and deployment. Exposure of these credentials can lead to unauthorized access to private container registries, enabling attackers to download, modify, or replace container images. This can result in supply chain compromises, insertion of malicious code, or disruption of containerized applications. Organizations relying heavily on containerized environments and automated CI/CD pipelines that integrate Grype for vulnerability scanning are particularly at risk. The breach of registry credentials can also undermine compliance with data protection regulations such as GDPR if it leads to broader system compromise or data leakage. The vulnerability’s local attack vector means that insider threats or compromised developer workstations could exploit this flaw. Given the widespread adoption of container technologies in European financial, manufacturing, and technology sectors, the impact could be substantial if not addressed promptly.

1. Upgrade Grype to version 0.104.1 or later immediately to apply the official patch that sanitizes sensitive credentials in output files. 2. Until patching is possible, avoid using the --file or --output json=<file> options; instead, redirect standard output (stdout) to a file, which does not include unsanitized credentials. 3. Review and rotate any registry credentials that may have been exposed via output files generated by vulnerable Grype versions. 4. Implement strict access controls and monitoring on systems running Grype to limit local access and detect unauthorized file access or credential leakage. 5. Integrate secrets management solutions to minimize the use of static registry credentials and enable short-lived tokens where possible. 6. Audit CI/CD pipelines and container security workflows to ensure no sensitive information is logged or stored insecurely. 7. Educate development and security teams about secure handling of credentials and the risks of improper output file management.