Cypress base image for ubuntu included npm 11.6.2 which has vulnerable glob version

[alex1701c]

This triggeres some warnings about the following CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-64756

When just rerunning npm install -g npm@latest, one gets the 11.7.0 npm version which has a newer glob.

Even the latest image has the old npm/glob version. Running the command above from the DOCKERFILE to update npm fixes the issue. Any chance you could do this in the base image? And also, can one check where regular builds of the image happen?

[MikeMcC399]

@alex1701c

Please read the SECURITY document for a description of how component security issues are handled. In this case Node.js is the component, and Cypress Docker images need a fixed version of Node.js 24.x to be released before the vulnerability can be removed in the Cypress Docker images tagged as latest.

According to https://nodejs.org/en/blog/vulnerability/december-2025-security-releases there are security releases planned for today, Dec 15, 2025. I'll check if there is a fix for this issue after the release has been carried out. If it's not in there, then I'll give you a more detailed reply.

Edit: Your title refers to "ubuntu", however cypress/base uses Debian 13, not Ubuntu - not that this makes any difference to the Node.js version - I just want to make sure we're both talking about the same image(s), not the internal images that use Ubuntu.

[MikeMcC399]

@alex1701c

The security release mentioned in https://nodejs.org/en/blog/vulnerability/december-2025-security-releases has been delayed, however after re-reading the blog, I don't believe it will fix this issue anyway.

Cypress Docker images take the complete Node.js release, including all bundled dependencies like npm, and install them as one configurable item, defined by NODE_VERSION, currently set to the default 24.12.0.

There is no facility in the build process for installing alternate versions of Node.js' bundled dependencies such as npm or Corepack.

The glob vulnerability CVE-2025-64756 is discussed in nodejs/nodejs-dependency-vuln-assessments#217 where the maintainers of npm state that although the vulnerability is flagged for npm, npm is not actually vulnerable. The issue carries the label "dont-believe-affects-nodejs".

We need to wait for Node.js to release a new Active LTS Node.js version with an npm update. This can then be bundled into new Cypress Docker images and the security scanners will stop flagging this error.

You can watch the Node.js releases tab or the https://nodejs.org/en/blog for new Node.js releases.

As you say, you can overwrite the npm version locally by installing the latest npm version as a temporary workaround:

npm install npm@latest -g

BTW: Users of official Node.js Docker images are affected in the same way and must also wait.

[MikeMcC399]

Closing this issue now.

Please follow Node.js releases for information about Node.js updates including npm version updates. Note that a minimum of npm@11.6.4 is required. This version of npm has been updated to use glob@13.0.0.

[alex1701c]

Thanks for all the information on this matter and the process, then I will have a dedicated image for this!