CVE-2025-68121 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2025-68121	HIGH	libcap	2.73-1.amzn2023.0.5	2.73-1.amzn2023.0.6	2026-02-05T18:16:10.857Z	2026-02-08T10:18:18.781547626Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:b552c8a6a9439ade38fc00160b6827ba73f233865b44c75ca66b7d3069b21bd8
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:b552c8a6a9439ade38fc00160b6827ba73f233865b44c75ca66b7d3069b21bd8
public.ecr.aws/lambda/provided:al2	public.ecr.aws/lambda/provided@sha256:c95bb4740c55b5aed125530d1e4fff4fa54dc2c8c38401255cef1c8fae6f16dd
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:c298670d11e7ef1f2ef63357da84c3dbf5176f25b1e8bac43410c4a8f6626fc0
public.ecr.aws/lambda/python:3.14	public.ecr.aws/lambda/python@sha256:426f35313ef4bd78b9ec159301e619c7708b49b22f47e9525763feb773984984
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:c298670d11e7ef1f2ef63357da84c3dbf5176f25b1e8bac43410c4a8f6626fc0
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:5787d35f17fa738e8409f93e591243e80ab03e614d62bc850c0deca2b1065896
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:474fd1275b70405d2e6aa25701e0aa2c45d651a22d5752f2e4abfa640700e557
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:30c7b8614d0e826edee1d7a98e8d5b96d24758eb71be0d2a4f9747c47afa0321
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:1fe9b37355be76d42678e1ce967437f66a38fb36bc7685c50ee5d05f7bce754b
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:1d103fa43ec950fec9f0a2f678ece499dd58276a45cbbac52e2ae2d8511ac9ab
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:1fe9b37355be76d42678e1ce967437f66a38fb36bc7685c50ee5d05f7bce754b
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:4755182a6b9bbb8d713cb585038a8c100012c03fde73af4136e97ff0506f9f16
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:82e9a3bdee92873a90a65186e987af72f5256a3fbd432dc32d3ed92eb5f1f4e0
public.ecr.aws/lambda/java:25	public.ecr.aws/lambda/java@sha256:0d37d120a6dab8b2972e07bcf552c37b1bbb9140ce4f1faa13890f1e5fdb7cef
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:82e9a3bdee92873a90a65186e987af72f5256a3fbd432dc32d3ed92eb5f1f4e0
public.ecr.aws/lambda/java:17	public.ecr.aws/lambda/java@sha256:493cc7d1085a30a8507055d7aa9d46ea846d6921e38895061f5893c5ddfe0f32
public.ecr.aws/lambda/java:11	public.ecr.aws/lambda/java@sha256:f7fe1fa2410e39d2aff9d60e84ee2241276ce238350544627186774b18ba370f
public.ecr.aws/lambda/java:8.al2	public.ecr.aws/lambda/java@sha256:5403b865aa3424b877eac9b82a38e47206de8d3dd4b1ec9603548acfe3f3f42d
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:de9a13b0c6b1aca3e09a91e58bbc53a4ac20075019fb53f64984e1a344acaf32
public.ecr.aws/lambda/dotnet:10	public.ecr.aws/lambda/dotnet@sha256:291f2b667e980bceefc3041dd95941b782a0deb3364bb4c5d1a656451f482e3a
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:de9a13b0c6b1aca3e09a91e58bbc53a4ac20075019fb53f64984e1a344acaf32
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:5aba1ce4e38cf4989df306c981c86b9b1f187d113cbc1d6e211c391d0d94fd62
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:2acb6aa2ac8390e4cd116d6925ef0201afd2aa8954cf471e981c06236a676276
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:2acb6aa2ac8390e4cd116d6925ef0201afd2aa8954cf471e981c06236a676276
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:6a65570479fdb0d7fab7dd755d256b016624678e946c4fbacaade01c0923fb54
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:ff5a94eabd5d931b983da803d38f454332e9627d0b0bde40baaa4293ea97cc7c

---

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

---

Remediation Steps

• Update the affected package libcap from version 2.73-1.amzn2023.0.5 to 2.73-1.amzn2023.0.6.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.