Hello everyone,
I was reviewing a few vulnerabilities indicated by prisma cloud on our cluster’s nodes. Upon closer inspection, i noticed quite a few of the CVEs already had a security patch according to the cos image security bulletin (https://cloud.google.com/container-optimized-os/docs/release-notes/m117). However, they were not fixed in our nodes.
For reference, let’s look at CVE-2025-22869, which declares the The Go Programming Language package pre 0.35 as vulnerable. In cos-117-18613-164-68, there was a patch announced bumping this package to 0.35, but in our nodes, which is in cos-117-18613-164-98, the version number is still 0.17. There are multiple other CVEs in the same situation.
Has anyone faced an issue like this before? Could it be a false-positive? Should we open a support ticket?
Hi vitor-tn ,
Welcome to Google Cloud Community!
The vulnerability is related to the Go Project. However, GKE does not use the affected SSH server implementations, and there is no evidence that this vulnerability impacts any components or services within GKE clusters. As such, GKE users are not affected by CVE-2025-22869.
To address your concern, we recommend updating your nodes to the latest Container-Optimized OS (COS) build under Milestone 117 or consider moving to a newer milestone (such as Milestone 121) to ensure all security patches are applied.
If the issue still persists and needs further assistance, feel free to reach out to our Google Cloud Support.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.
1 Like