Multiple security vulnerabilities in node-exporter image

[Gopal529]

The current node-exporter image (v1.10.2) includes BusyBox 1.36.1 and some Go dependencies that are affected by multiple critical and high severity CVEs. Critical/high CVEs include CVE-2022-48174, CVE-2025-52881, CVE-2025-61727, and CVE-2025-61729, along with medium severity CVEs CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, and CVE-2023-42366. These issues are flagged by our Prisma security scans. We would appreciate it if these vulnerabilities could be addressed and an updated node-exporter image released. Thanks

[SuperQ]

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable.

https://prometheus.io/docs/operating/security/#automated-security-scanners

[Gopal529]

@SuperQ Thanks for your response. I understand the point about exploitability.
Could you please consider updating the BusyBox base image and Go dependencies/toolchain to help reduce false positives from security scanners? Thanks

[MarcClusterman]

With respect to issue CVE-2025-52881 the recommended fix is to upgrade selinux to version 1.13, which appears to already be done as part of #3474 but there hasn't yet been a release which includes this change.

[SuperQ]

We automate upgrades already and release when there are issues.

Without a specific exploitable issue these are just false positives reported by version matching.