Security vulnerabilities detected in NetApp Trident container images (CVE-2025-61727, CVE-2025-61729)

[nikhiljoseph2905]

Description

Container security scanning has identified vulnerabilities in NetApp Trident–related container images used in our Kubernetes environment.

Affected images include:

docker.io/netapp/trident

docker.io/netapp/trident-autosupport

registry.k8s.io/sig-storage/csi-provisioner

registry.k8s.io/sig-storage/csi-resizer

registry.k8s.io/sig-storage/csi-node-driver-registrar
registry.k8s.io/sig-storage/csi-attacher
registry.k8s.io/sig-storage/csi-snapshotter

Detected vulnerabilities:

CVE-2025-61727 (Medium)

CVE-2025-61729 (High – Go crypto/x509)

These vulnerabilities appear to be related to the Go toolchain version used to build the images.

Request

Please advise:

Whether patched images are available

The Trident / CSI component versions that remediate these CVEs

Any recommended mitigation or upgrade path

These findings are blocking our CI/CD security gates.

[reederc42]

The Go version used to build Trident will be updated in our February release, which will fix this issue for the trident and trident-autosupport images. We don't know if there will be a fix in the sig-storage images, when they update we'll update Trident to use them.

Before the updated images are available, trident-autosupport is not vulnerable to these issues. TLS is only used to communicate with NetApp's AutoSupport service, which currently does not use any affected certificates (there is only one SAN and no subdomain constraints). trident is vulnerable, but if and only if an authenticated user installs affected certificates to storage backends, such as ONTAP, or the Kubernetes cluster.

Please reach out to support if you have more questions.