Charon/docs/security/VULNERABILITY_ACCEPTANCE.md

Vulnerability Acceptance Document

This document provides formal acceptance and risk assessment for vulnerabilities identified across Charon releases.

---

Current Accepted Vulnerabilities (February 2026)

Debian Trixie Base Image CVEs (Temporary Acceptance)

Date Accepted: 2026-02-04 Reviewed By: Security Team, QA Team, DevOps Team Status: ACCEPTED (Temporary - Alpine migration in progress) Next Review: 2026-03-05 (or upon Alpine migration completion) Target Resolution: 2026-03-05

Overview

7 HIGH severity CVEs identified in Debian Trixie base image packages (glibc, libtasn1, libtiff) with no fixes available from Debian upstream.

Decision: Temporary acceptance pending Alpine Linux migration (already planned).

Rationale:

• CrowdSec LAPI authentication fix is CRITICAL for production users
• CVEs are in Debian base packages, NOT application code
• CVEs exist in main branch (blocking fix provides zero security improvement)
• Alpine migration already on roadmap (moved to high priority)
• Risk level assessed as LOW (no exploit path identified)

Mitigation Plan: Full Alpine migration (see docs/plans/alpine_migration_spec.md)

Expected Timeline:

• Week 1 (Feb 5-8): Verify Alpine CVE-2025-60876 is patched
• Weeks 2-3 (Feb 11-22): Dockerfile migration + testing
• Week 4 (Feb 26-28): Staging validation
• Week 5 (Mar 3-5): Production rollout

Expected Outcome: 100% CVE reduction (7 HIGH → 0)

Detailed Security Advisory: advisory_2026-02-04_debian_cves_temporary.md

Affected CVEs:

CVE	CVSS	Package	Status
CVE-2026-0861	8.4	libc6	No fix available → Alpine migration
CVE-2025-13151	7.5	libtasn1-6	No fix available → Alpine migration
CVE-2025-15281	7.5	libc6	No fix available → Alpine migration
CVE-2026-0915	7.5	libc6	No fix available → Alpine migration

Approval Record:

• Security Team: APPROVED (temporary acceptance with mitigation) ✅
• QA Team: APPROVED (conditions met) ✅
• DevOps Team: APPROVED (Alpine migration feasible) ✅
• Sign-Off Date: 2026-02-04

---

Historical Accepted Vulnerabilities

PR #461 - Alpine Base Image CVEs (January 2026)

PR: #461 - DNS Challenge Support Date Accepted: 2026-01-13 Reviewed By: Security Team & Engineering Status: ACCEPTED (No fixes available from Alpine upstream) Next Review: 2026-02-13 (30 days)

---

Executive Summary

PR #461 supply chain scan identified 9 vulnerabilities in Alpine Linux 3.23.0 base image packages:

• 8 Medium severity CVEs (3 busybox-related, 5 curl-related)
• 1 Low severity CVE (curl)

Decision: All vulnerabilities are ACCEPTED pending upstream Alpine Security Team patches. No application-level vulnerabilities were found.

Rationale:

• All CVEs are Alpine OS package issues, not Charon application code
• No patches available from Alpine upstream as of 2026-01-13
• Low exploitability in containerized deployment environment
• Effective mitigation strategies in place
• Active monitoring for upstream patches

---

Vulnerability Details

CVE-2025-60876: busybox utilities (3 packages)

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 7.5 (Estimated) CWE: CWE-122 (Heap-based Buffer Overflow)

Affected Components

• busybox: 1.37.0-r20 (Alpine APK)
• busybox-binsh: 1.37.0-r20 (Alpine APK)
• ssl_client: 1.37.0-r20 (Alpine APK)

Vulnerability Description

Heap buffer overflow vulnerability in busybox utilities. The vulnerability exists in the parsing logic of certain busybox commands, potentially allowing memory corruption if specific command patterns are used.

Attack Vector: Requires local shell access or specific command execution with attacker-controlled arguments.

Risk Assessment

Exploitability: LOW

• Requires local shell access to container
• Charon does not expose shell access to users via application interface
• Container runs with non-root user (caddy:caddy)
• No busybox commands accept user-controlled input through Charon APIs

Impact: LOW-MEDIUM

• Potential for command execution or privilege escalation if exploited
• Container isolation limits blast radius
• SELinux/AppArmor policies provide defense-in-depth
• No exposed attack surface through Charon application

Risk Level: LOW (Low exploitability × Medium impact in isolated environment = Low overall risk)

Mitigation Strategies

1. Container Isolation: Application runs in isolated Docker container with minimal privileges
2. Non-Root User: Container process runs as caddy:caddy, not root
3. No Shell Exposure: Application does not provide shell access or command execution interfaces
4. Network Segmentation: Container network isolated from host and other containers
5. Read-Only Filesystem: Application binaries and system files mounted read-only where possible
6. Capabilities Drop: Container runs with minimal Linux capabilities (CAP_NET_BIND_SERVICE only)

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine Security advisories
• Source: https://security.alpinelinux.org/vuln/busybox
• Alert Trigger: Patch release for CVE-2025-60876
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-15079: curl - HTTP/2 Protocol Handling

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 6.5 (Estimated) CWE: CWE-835 (Loop with Unreachable Exit Condition)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Denial of Service vulnerability in curl's HTTP/2 protocol handling. A malicious server can cause infinite loop or resource exhaustion in curl client when processing crafted HTTP/2 responses.

Attack Vector: Requires curl to connect to malicious HTTP/2 server.

Risk Assessment

Exploitability: LOW

• curl only used for internal healthcheck scripts in Charon
• All curl invocations use hardcoded, internal URLs (http://localhost:8080)
• No user-controlled URLs passed to curl
• No external HTTP/2 connections from curl in production

Impact: LOW

• Could cause healthcheck script to hang or consume CPU
• Container restart resolves issue
• Monitoring detects unhealthy container state
• Application functionality unaffected (healthchecks are auxiliary)

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. Hardcoded URLs: All curl invocations use internal, localhost endpoints only
2. No User Input: curl commands never accept user-provided URLs or parameters
3. Timeout Protection: Healthcheck scripts include timeout values
4. Monitoring: Container health status monitored; automatic restart on failure
5. Limited Usage: curl only used for healthchecks; application uses Go HTTP client for real work

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-15079
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-14819: curl - TLS Certificate Validation

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 6.8 (Estimated) CWE: CWE-295 (Improper Certificate Validation)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Improper certificate validation in libcurl when using specific TLS configurations. Under certain conditions, curl may not properly validate certificate chains, potentially allowing man-in-the-middle attacks.

Attack Vector: Requires network positioning and crafted TLS certificates.

Risk Assessment

Exploitability: LOW

• curl only used for localhost healthcheck (http:// not https://)
• No TLS connections made by curl in Charon deployment
• Internal network environment (container to localhost)
• No external network access from curl invocations

Impact: LOW

• No sensitive data transmitted via curl
• Healthcheck endpoints are internal status checks only
• Application uses Go's crypto/tls for all real TLS connections
• curl TLS not used in production deployment

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. No TLS Usage: curl invocations use HTTP, not HTTPS (localhost only)
2. Internal Network: curl only connects to localhost (127.0.0.1:8080)
3. Go HTTP Client: Application uses Go's standard library for all external HTTPS connections
4. Network Isolation: Container network isolated from external networks

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-14819
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-14524: curl - Cookie Handling

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 5.9 (Estimated) CWE: CWE-200 (Exposure of Sensitive Information)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Cookie handling vulnerability in libcurl that may expose cookies to unintended domains under specific redirect scenarios.

Attack Vector: Requires malicious server with redirect chains and cookie manipulation.

Risk Assessment

Exploitability: LOW

• curl does not use cookies in Charon deployment
• Healthcheck scripts do not enable cookie handling
• No cookie jar files used
• Internal localhost-only connections

Impact: LOW

• No cookies used in curl invocations
• Healthcheck endpoints do not set or require cookies
• No sensitive data in curl requests

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. No Cookie Usage: curl invocations do not use -c or -b flags (no cookie support)
2. Internal Endpoints: curl only connects to localhost healthcheck endpoints
3. No Redirects: Healthcheck endpoints do not issue redirects
4. Stateless Checks: Healthchecks are simple HTTP GET requests without state

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-14524
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-13034: curl - URL Parsing

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 6.1 (Estimated) CWE: CWE-20 (Improper Input Validation)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

URL parsing vulnerability that may allow URL injection or filter bypass when parsing specially crafted URLs with unusual schemes or malformed components.

Attack Vector: Requires curl to process attacker-controlled URLs with malicious formatting.

Risk Assessment

Exploitability: LOW

• All curl URLs are hardcoded in healthcheck scripts
• No user input accepted for URL construction
• Simple localhost URLs only (http://localhost:8080/api/v1/health)
• No URL parsing of external or user-provided data

Impact: LOW

• Hardcoded URLs are validated at build time
• No dynamic URL construction in curl invocations
• Healthcheck script failure triggers container restart (non-critical)

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. Hardcoded URLs: All curl URLs are string literals in scripts (no variables)
2. Input Validation: No external input used in URL construction
3. Simple URLs: Only basic HTTP localhost URLs used
4. Code Review: Healthcheck scripts reviewed for security

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-13034
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-10966: curl - Cookie Domain Bypass

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 6.5 (Estimated) CWE: CWE-285 (Improper Authorization)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Cookie domain validation bypass allowing cookies to be sent to unintended domains under specific redirect scenarios with domain matching edge cases.

Attack Vector: Requires malicious server with crafted Set-Cookie headers and redirect chains.

Risk Assessment

Exploitability: LOW

• curl does not use cookies in Charon deployment
• No cookie jar functionality enabled
• Internal localhost-only connections
• No redirects in healthcheck endpoints

Impact: LOW

• No cookies stored or transmitted by curl
• Healthcheck scripts are stateless
• No sensitive data in curl requests

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. No Cookie Usage: curl invocations do not enable cookie handling
2. Internal Network: curl only connects to localhost (no external domains)
3. No Redirects: Healthcheck endpoints return direct responses
4. Stateless Design: Healthchecks do not require session state

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-10966
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-15224: curl - Information Disclosure

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: LOW CVSS: 3.7 (Estimated) CWE: CWE-200 (Exposure of Sensitive Information)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Minor information disclosure vulnerability in curl verbose logging that may expose sensitive HTTP headers or metadata in debug output.

Attack Vector: Requires verbose logging enabled and access to curl output/logs.

Risk Assessment

Exploitability: LOW

• curl not run with verbose flags in production
• Healthcheck scripts use minimal output
• No sensitive data in healthcheck requests
• Container logs do not expose curl debug output

Impact: LOW

• Healthcheck requests contain no sensitive information
• Verbose mode not enabled in production scripts
• Container logs filtered and access-controlled

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. No Verbose Logging: curl invocations do not use -v or --verbose flags
2. Minimal Output: Healthcheck scripts capture only exit codes
3. No Sensitive Data: Healthcheck requests contain only localhost URLs
4. Log Access Control: Container logs require authentication to access

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-15224
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

CVE-2025-14017: curl - Protocol Downgrade

Status: ⚠️ ACCEPTED - Pending Alpine Security Patch Date Accepted: 2026-01-13 Severity: MEDIUM CVSS: 6.8 (Estimated) CWE: CWE-757 (Selection of Less-Secure Algorithm During Negotiation)

Affected Components

• curl: 8.14.1-r2 (Alpine APK)
• libcurl: 8.14.1-r2 (implicit dependency)

Vulnerability Description

Protocol downgrade vulnerability in curl that may allow downgrade from HTTP/2 to HTTP/1.1 or TLS version downgrade in specific server response scenarios.

Attack Vector: Requires man-in-the-middle position or malicious server with protocol negotiation manipulation.

Risk Assessment

Exploitability: LOW

• curl only connects to localhost (no external network path)
• HTTP only (no TLS connections from curl)
• No protocol negotiation in simple healthcheck GET requests
• Internal container network (no MITM possibility)

Impact: LOW

• Localhost-only connections eliminate MITM attack vector
• No sensitive data transmitted via curl
• Protocol downgrade irrelevant for HTTP localhost connections

Risk Level: LOW (Low exploitability × Low impact = Low overall risk)

Mitigation Strategies

1. Localhost Only: curl connects to 127.0.0.1 (no external network path)
2. HTTP Only: No TLS connections (protocol downgrade not applicable)
3. Internal Network: Container network isolated from external threats
4. Simple Requests: Basic HTTP GET requests with no protocol negotiation

Monitoring & Remediation Plan

• Monitoring Frequency: Daily checks of Alpine and curl security advisories
• Source: https://security.alpinelinux.org/vuln/curl
• Alert Trigger: Patch release for CVE-2025-14017
• Remediation Action: Automatic rebuild with updated Alpine base image
• Review Date: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

Summary Risk Matrix

CVE ID	Component	Severity	Exploitability	Impact	Overall Risk	Status
CVE-2025-60876	busybox (3 pkgs)	MEDIUM	LOW	LOW-MEDIUM	LOW	✅ Accepted
CVE-2025-15079	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted
CVE-2025-14819	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted
CVE-2025-14524	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted
CVE-2025-13034	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted
CVE-2025-10966	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted
CVE-2025-15224	curl	LOW	LOW	LOW	LOW	✅ Accepted
CVE-2025-14017	curl	MEDIUM	LOW	LOW	LOW	✅ Accepted

Total: 9 Alpine OS package CVEs Application Code Vulnerabilities: 0 (Clean)

---

Continuous Monitoring

Automated Monitoring

1. GitHub Dependabot: Monitors Alpine package updates
2. Renovate Bot: Automated PR creation for base image updates
3. Trivy Scanning: Weekly security scans in CI/CD (Sunday 02:00 UTC)
4. Supply Chain Verification: Runs on every PR and release

Manual Monitoring

1. Daily Checks: Alpine Security Team advisories during active incident periods
2. Weekly Reviews: Security team reviews Alpine security feed
3. Monthly Reviews: Comprehensive review of all accepted risks (1st Monday)
4. Quarterly Reviews: Full risk re-assessment and mitigation strategy evaluation

Alert Triggers

Immediate escalation if:

• Severity upgraded to HIGH or CRITICAL
• Active exploitation detected in the wild
• CISA KEV (Known Exploited Vulnerabilities) listing
• Public proof-of-concept exploit published
• Regulatory/compliance requirement to remediate

---

Remediation Timeline

Expected Upstream Fixes

• busybox (CVE-2025-60876): Awaiting Alpine Security Team patch
• curl (7 CVEs): Awaiting Alpine Security Team patches

Automatic Remediation Process

1. Detection: Renovate Bot detects updated Alpine base image
2. PR Creation: Automated PR created with base image update
3. CI Validation: Full security scan suite runs
4. Review: Security team reviews changes
5. Merge: Auto-merge if all checks pass
6. Deploy: Automatic release with updated base image

Estimated Time to Remediation: < 24 hours after upstream patch release

Manual Escalation Path

If no patches available after review date (2026-02-13):

1. Risk Re-Assessment: Evaluate if risk profile has changed
2. Alternative Base Images: Consider Debian slim, distroless, or scratch
3. Workarounds: Evaluate removing curl/busybox from final image stage
4. Accept Extended: Extend acceptance with updated review date

---

Compliance & Audit

Regulatory Considerations

• NIST SP 800-53: RA-3 (Risk Assessment), RA-5 (Vulnerability Scanning)
• ISO 27001: A.12.6.1 (Management of technical vulnerabilities)
• CIS Controls: Control 7 (Continuous Vulnerability Management)
• SOC 2: CC7.1 (System Operations - Vulnerability Management)

Audit Trail

This document provides evidence of:

• Vulnerability identification and assessment
• Risk-based decision making
• Mitigation strategies implementation
• Continuous monitoring process
• Defined remediation timeline

Approval Record

Reviewed By: Security Team & Engineering Director Approved By: Engineering Director Date: 2026-01-13 Next Review: 2026-02-13 (30 days)

Approval Rationale:

All 9 vulnerabilities are Alpine OS base image packages with no upstream patches available. The assessed risk is LOW across all CVEs due to:

1. Effective containerization and isolation
2. No attack surface exposure through Charon application
3. Hardcoded, internal-only usage of affected utilities
4. Multiple layers of defense-in-depth mitigation
5. Active monitoring and automated remediation process

The decision to accept these risks is consistent with industry best practices for vulnerability management in containerized applications pending upstream security patches.

---

References

Official Sources

• Alpine Linux Security Team
• Alpine Security Advisories
• National Vulnerability Database (NVD)
• MITRE CVE Database
• CISA Known Exploited Vulnerabilities

Project Documentation

• Charon Security Policy
• Supply Chain Security Documentation
• Accepted Risks (Legacy)
• PR #461 Remediation Plan

Standards & Frameworks

• NIST SP 800-53 Rev 5
• OWASP Risk Rating Methodology
• CIS Controls v8
• ISO 27001:2022

---

Document Version: 1.0 Last Updated: 2026-01-13 Next Review: 2026-02-13