Summary
A Docker Scout scan of the production backend image (dunglas/frankenphp:php8.3-alpine / Alpine 3.23 base) surfaced 26 HIGH CVEs across 8 packages. These vulnerabilities are not introduced by any recent contribution β they exist in the upstream Alpine 3.23 base packages and the current composer.lock dependencies.
This issue documents the findings so they can be tracked and addressed upstream or by a maintainer with access to the relevant packages.
Scan tool: Docker Scout (docker scout cves)
Image scanned: production backend and all-in-one images
Severity filter: HIGH + CRITICAL only (0 CRITICAL found)
Group 1 β Alpine base packages (no fix available in Alpine 3.23)
These CVEs have no patched version published yet for Alpine 3.23 at the time of scanning. Nothing actionable for now β monitoring recommended.
imagemagick 7.1.2.17-r0 β 13 HIGH CVEs
Note: ImageMagick is used for image/PDF processing. If it is not strictly required, replacing it with a lighter alternative (e.g. libvips) or removing it from the base image would eliminate all 13 CVEs.
tar 1.35-r4 β 6 HIGH CVEs
nghttp2 1.68.0-r0 β 1 HIGH CVE
libde265 1.0.16-r0 β 1 HIGH CVE
curl 8.17.0-r1 β 1 HIGH CVE
Group 2 β Alpine base packages (fix available)
These CVEs have a patched version in Alpine. They can be resolved by adding RUN apk upgrade --no-cache openssl to the Dockerfiles, or by waiting for the base image to bump its lockfile.
openssl 3.5.5-r0 β 2 HIGH CVEs β β
fixed in 3.5.6-r0
Suggested fix in Dockerfiles:
RUN apk upgrade --no-cache openssl
Group 3 β Composer dependencies (fix available)
These are application-level PHP dependencies tracked in composer.lock. They are not introduced by any infrastructure change and are within the project's direct control.
aws/aws-sdk-php 3.356.40 β 1 HIGH β β
fixed in 3.371.4
Suggested fix:
composer require aws/aws-sdk-php:^3.371.4
symfony/http-foundation 7.3.4 β 1 HIGH β β
fixed in 7.3.7
Suggested fix:
composer update symfony/http-foundation
This package is typically pulled in transitively by Laravel. Updating it in composer.json constraints or running composer update should be sufficient.
Summary table
| Package |
Severity |
Count |
Fix available? |
| imagemagick 7.1.2.17-r0 |
HIGH |
13 |
β No fix in Alpine 3.23 |
| tar 1.35-r4 |
HIGH |
6 |
β No fix in Alpine 3.23 |
| openssl 3.5.5-r0 |
HIGH |
2 |
β
Upgrade to 3.5.6-r0 |
| nghttp2 1.68.0-r0 |
HIGH |
1 |
β No fix in Alpine 3.23 |
| libde265 1.0.16-r0 |
HIGH |
1 |
β No fix in Alpine 3.23 |
| curl 8.17.0-r1 |
HIGH |
1 |
β No fix in Alpine 3.23 |
| aws/aws-sdk-php 3.356.40 |
HIGH |
1 |
β
Upgrade to 3.371.4 |
| symfony/http-foundation 7.3.4 |
HIGH |
1 |
β
Upgrade to 7.3.7 |
Total: 26 HIGH, 0 CRITICAL
How this was discovered
Scanned using Docker Scout after running the FrankenPHP migration PR (#1154).
The same vulnerabilities are present on the current develop branch images (they originate from the Alpine base and existing composer.lock, not from the PR).
docker scout cves <image> --only-severity critical,high
Summary
A Docker Scout scan of the production backend image (
dunglas/frankenphp:php8.3-alpine/ Alpine 3.23 base) surfaced 26 HIGH CVEs across 8 packages. These vulnerabilities are not introduced by any recent contribution β they exist in the upstream Alpine 3.23 base packages and the currentcomposer.lockdependencies.This issue documents the findings so they can be tracked and addressed upstream or by a maintainer with access to the relevant packages.
Scan tool: Docker Scout (
docker scout cves)Image scanned: production backend and all-in-one images
Severity filter: HIGH + CRITICAL only (0 CRITICAL found)
Group 1 β Alpine base packages (no fix available in Alpine 3.23)
These CVEs have no patched version published yet for Alpine 3.23 at the time of scanning. Nothing actionable for now β monitoring recommended.
imagemagick 7.1.2.17-r0β 13 HIGH CVEstar 1.35-r4β 6 HIGH CVEsnghttp2 1.68.0-r0β 1 HIGH CVElibde265 1.0.16-r0β 1 HIGH CVEcurl 8.17.0-r1β 1 HIGH CVEGroup 2 β Alpine base packages (fix available)
These CVEs have a patched version in Alpine. They can be resolved by adding
RUN apk upgrade --no-cache opensslto the Dockerfiles, or by waiting for the base image to bump its lockfile.openssl 3.5.5-r0β 2 HIGH CVEs β β fixed in3.5.6-r0Suggested fix in Dockerfiles:
RUN apk upgrade --no-cache opensslGroup 3 β Composer dependencies (fix available)
These are application-level PHP dependencies tracked in
composer.lock. They are not introduced by any infrastructure change and are within the project's direct control.aws/aws-sdk-php 3.356.40β 1 HIGH β β fixed in3.371.4Suggested fix:
symfony/http-foundation 7.3.4β 1 HIGH β β fixed in7.3.7Suggested fix:
Summary table
Total: 26 HIGH, 0 CRITICAL
How this was discovered
Scanned using Docker Scout after running the FrankenPHP migration PR (#1154).
The same vulnerabilities are present on the current
developbranch images (they originate from the Alpine base and existingcomposer.lock, not from the PR).