Bug Report: Hugging Face TEI Vulnerabilities #736
Description
Summary
Security vulnerabilities detected in TEI Docker images (tei:1.6, tei:1.7).
These are mainly due to outdated Ubuntu base packages (e.g., curl, openssl, perl, etc.).
Upgrading the base image and dependencies is recommended.
Affected Packages & Versions
| Package | Version | Severity | Notes |
|---|---|---|---|
| curl | 7.81.0 | CRITICAL | Multiple CVEs present |
| krb5/krb5 | 1.19.2 | CRITICAL | Affects kerberos libraries |
| Libtasn1 | 4.18.0 | CRITICAL | Outdated ASN.1 library |
| Perl | 5.34.0 | CRITICAL | Known code execution vulns |
| SQLite | 3.37.2 | CRITICAL | SQL parsing vulnerabilities |
| Bash | 5.1 | HIGH | Security fixes available in newer patch |
| Berkeley DB | 5.3.28 | HIGH | Multiple CVEs, no longer actively maintained |
| Cyrus SASL | 2.1.27 | HIGH | Known authentication bypass issues |
| GnuTLS | 3.7.3 | HIGH | TLS handling vulnerabilities |
| libssh | 0.9.6 | HIGH | Outdated SSH library |
| nghttp2 | 1.43.0 | HIGH | HTTP/2 request handling flaws |
| OpenSSL | 3.0.2 | HIGH | Multiple CVEs fixed in 3.0.13+ |
| PCRE2 | 10.39 | HIGH | Regex denial of service |
| XZ Utils | 5.2.5 | HIGH | Compression library security issues |
Recommendations
- Upgrade the base image (e.g., from Ubuntu 20.04 → 22.04 LTS or newer).
- Ensure
apt-get update && apt-get upgrade -yis run during build. - Rebuild and publish updated TEI images (
tei:latest,tei:1.8, etc.) with patched dependencies. - Consider periodic vulnerability scans (e.g., Trivy, Grype, or BlackDuck) in CI/CD.
Impact
These vulnerabilities affect all downstream users of TEI Docker images in production.
Some issues are CRITICAL and could allow code execution, authentication bypass, or TLS/SSL weaknesses.
References
- Ubuntu CVE Tracker: https://ubuntu.com/security/cves
- OpenSSL Security Advisories: https://www.openssl.org/news/vulnerabilities.html
- NVD CVE Database: https://nvd.nist.gov/
Requesting maintainers to update the TEI images in upcoming releases to ensure security compliance.