Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ETA for EKS-optimized AMI patching CVE-2025-68121 (go/stdlib 1.25.1)

0

Service: Amazon EKS
Category: Security / Vulnerability
Severity: High

We have 10 Critical findings in AWS Inspector across our EKS node groups in il-central-1, all for the same vulnerability:

  • CVE: CVE-2025-68121
  • Affected package: go/stdlib 1.25.1 (statically compiled into kubelet, containerd)
  • Inspector status: Fix Available = YES, but no patched AMI exists

Current state:

  • EKS version: 1.33 (platform eks.29)
  • AMI type: AL2023_x86_64_STANDARD
  • Current AMI: ami-00d8550d2bb032240 (v20260304 — latest recommended)
  • Affected node groups: 4 (2 clusters × 2 node groups each, staging + production)

We have verified that:

  1. All node groups are already running the latest recommended AMI (v20260304)
  2. No newer AMI is available in any channel (AL2023 standard, nvidia, neuron, Bottlerocket)
  3. EKS versions 1.34 and 1.35 also ship the same v20260304 build with the same vulnerability
  4. The Go stdlib is statically linked into node binaries, so OS-level patching cannot resolve this

Request:

  1. What is the ETA for a patched EKS-optimized AMI that resolves CVE-2025-68121?
  2. Will the fix be included in the next scheduled AMI release, or is an out-of-band release planned?

This is flagged as Critical severity by Inspector and is a compliance concern for our production environment.

Topics
ComputeContainersAWS Well-Architected Framework
Tags
Amazon EC2Amazon Machine Images (AMI)Amazon EKS Auto ModeSecurity
Language
English
asked 2 months ago164 views
1 Answer
0

CVE-2025-68121 affects the Go stdlib (1.25.1) statically compiled into EKS node binaries (kubelet and containerd). Although Amazon Linux Advisory Service (ALAS) shows fixes are available for all Amazon Linux flavors (ALAS CVE-2025-68121), these only patch the OS-level packages.

OS-level updates do not resolve the CVE in EKS nodes because the vulnerable Go stdlib is statically linked into the binaries. The only solution is to update EKS node groups to a new EKS-optimized AMI where AWS has rebuilt the binaries with the patched Go stdlib.

Recommended actions until the patched AMI is available:

  1. Monitor the Amazon EKS-Optimized AMI release notes for the next AMI release addressing this CVE.
  2. Engage AWS Support to confirm ETA or request early access to a patched AMI.
  3. Mitigate exposure by restricting workloads, applying network policies, and limiting untrusted access to nodes.

Once the patched AMI is released, update all affected node groups to eliminate the vulnerability.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content