We have discovered critical vulnerabilities in the Docker images for Octez v24.0 and later versions – other distributions of Octez (sources, binaries, packages, etc.) are safe.
Impact
- These vulnerabilities (the most relevant being CVE-2025-15467) are not related to the Octez source code itself.
- They concern only upstream dependencies included in Octez Docker images for Octez v24.0 and later versions.
- These vulnerabilities may lead to infrastructure crashes and downtime, or to potential remote code execution scenarios.
- Users relying on other distributions of Octez (binaries, packages, source builds, etc.) are not impacted.
Mitigation
- These vulnerabilities have been addressed in
octez-v24.1-1, a packaging revision for Octez v24.1. - This packaging revision only affects deploying Octez Docker images.
- Users relying on other Octez distribution sources do not need to take any action.
If you are deploying Octez Docker images, please adopt the octez-v24.1-1 revision as soon as possible. That is, you need to pull and redeploy the newly republished Docker tezos:octez-v24.1 images (or latest).
Packaging Revisions.
This is the first use of our new Octez packaging revision mechanism. It allows us to rebuild and republish specific distribution artifacts - such as Docker images - for an existing Octez release, without changing the Octez version itself.
Packaging revisions follow the format octez-vx.y-n, where n is the build number.
