Synopsis
Important: cockpit-image-builder security update
Type/Severity
Security Advisory: Important
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for cockpit-image-builder is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The image-builder-frontend generates custom images suitable for deploying systems or uploading to the cloud. It integrates into Cockpit as a frontend for osbuild.
Security Fix(es):
- lodash: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)
- lodash: lodash: Arbitrary code execution via untrusted input in template imports (CVE-2026-4800)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat Enterprise Linux for x86_64 10 x86_64
-
Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 10 s390x
-
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x
-
Red Hat Enterprise Linux for Power, little endian 10 ppc64le
-
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le
-
Red Hat Enterprise Linux for ARM 64 10 aarch64
-
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64
-
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64
-
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x
-
Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le
-
Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64
-
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64
-
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64
-
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le
-
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x
Fixes
-
BZ - 2431740
- CVE-2025-13465 lodash: prototype pollution in _.unset and _.omit functions
-
BZ - 2453496
- CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
-
RHEL-182455
- cockpit-image-builder fails to save a blueprint with 'cannot create directory '/home/$USER/.local/state/cockpit-image-builder': No such file or directory"
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 10
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| x86_64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| x86_64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for IBM z Systems 10
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| s390x |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| s390x |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for Power, little endian 10
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| ppc64le |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| ppc64le |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for ARM 64 10
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| aarch64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| aarch64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| aarch64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| s390x |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| ppc64le |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| x86_64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| x86_64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| aarch64 |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| ppc64le |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2
| SRPM |
|
cockpit-image-builder-94.3-1.el10_2.src.rpm
|
SHA-256: bf6f82c48d2561186639eff14c28aa6c43a2fdf1f74e8f64b688221d61bb9066 |
| s390x |
|
cockpit-image-builder-94.3-1.el10_2.noarch.rpm
|
SHA-256: ec5810e6ba5927c72b446479c2d99df76f752967946f1558826d3309cefd85fe |
