Summary
The Grype supply chain scan has identified GHSA-x744-4wpc-v9h2 (HIGH — CVSS 8.8) in github.com/docker/docker v28.5.2+incompatible embedded in the Charon backend binary (/app/charon).
Vulnerability Details
Type: Authorization Bypass — AuthZ plugin bypass via oversized request bodies
Advisory: GHSA-x744-4wpc-v9h2
Fix available in: moby/moby v29.3.1 (not yet available on the docker/docker import path)
Current Mitigation
- Temporary ignore rule in
.grype.yaml with expiry 2026-04-30
- Charon uses Docker Client SDK only for container listing operations
- The vulnerability is in Docker Engine's server-side AuthZ plugin authorization, which Charon does not configure or depend on
- Real-world risk to Charon is minimal
Resolution Path
- Monitor for
docker/docker or moby/moby/v2 publishing a patched release compatible with the docker/docker import path
- Update
go.mod to the patched version
- Remove the corresponding ignore rule from
.grype.yaml
Acceptance Criteria
Summary
The Grype supply chain scan has identified GHSA-x744-4wpc-v9h2 (HIGH — CVSS 8.8) in
github.com/docker/dockerv28.5.2+incompatible embedded in the Charon backend binary (/app/charon).Vulnerability Details
Type: Authorization Bypass — AuthZ plugin bypass via oversized request bodies
Advisory: GHSA-x744-4wpc-v9h2
Fix available in:
moby/mobyv29.3.1 (not yet available on thedocker/dockerimport path)Current Mitigation
.grype.yamlwith expiry 2026-04-30Resolution Path
docker/dockerormoby/moby/v2publishing a patched release compatible with thedocker/dockerimport pathgo.modto the patched version.grype.yamlAcceptance Criteria
github.com/docker/dockerdependency updated to version with fix for GHSA-x744-4wpc-v9h2.grype.yaml