Support Content Notification - Support Portal

Product Release Advisory - Tanzu Platform for Cloud Foundry 4.0.38+LTS-T

Product/Component

Tanzu Kubernetes Runtime

5 more products

Notification Id

35966

Last Updated

24 July 2025

Initial Publication Date

24 July 2025

Status

CLOSED

Severity

CRITICAL

CVSS Base Score

9.4

WorkAround

N/A

Affected CVE

See CVE list in advisory

Product Release Advisory - Tanzu Platform for Cloud Foundry 4.0.38+LTS-T

	Advisory Details
Severity	Critical
CVSSv3 Range	9.4
CVSSv3 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Issue Date	2025-07-24
Updated on

Product Version Release Advisory

Product Release Tanzu Platform for Cloud Foundry 4.0.38+LTS-T
Product Release Notes: https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-platform-for-cloud-foundry/4-0/tpcf/runtime-rn.html#4.0.38

Security Fixes This release has the following security fixes, listed by component and area.

Component	Vulnerabilities Resolved
nodejs-offline-buildpack	CVE-2025-4517 (Critical)
routing	CVE-2025-22871 (Critical)
capi	GHSA-g85v-wf27-67xc (CVE-2024-52587) (High)
credhub uaa	GHSA-hq9p-pm7w-8p54 (CVE-2025-49146) (High)
diego	CVE-2024-53427 (High)
java-offline-buildpack	GHSA-vv7r-c36w-3prj (CVE-2025-48976) (High)
push-apps-manager-release	GHSA-xffm-g5w8-qvg7 (No known CVE) (High)
garden-runc	GHSA-cm76-qm8v-3j95 (CVE-2025-47290) (High)
java-offline-buildpack	GHSA-4jrv-ppp4-jm57 (CVE-2022-25647) (High)
java-offline-buildpack	GHSA-fg7x-g82r-94qc (CVE-2023-28756) (High)
diego	GHSA-mh63-6h87-95cp (CVE-2025-30204) (High)
uaa	GHSA-25xr-qj8w-c4vf (CVE-2025-53506) (High)
nodejs-offline-buildpack	CVE-2025-4330 (High)
uaa cf-autoscaling credhub	GHSA-h3gc-qfqq-6h8f (CVE-2025-48988) (High)
nodejs-offline-buildpack	CVE-2025-4435 (High)
capi	GHSA-gjh7-p2fx-99vx (CVE-2025-46727) (High)
diego	CVE-2025-48060 (High)
routing push-apps-manager-release	GHSA-6v2p-p543-phr9 (CVE-2025-22868) (High)
capi r-offline-buildpack notifications mysql-monitoring pxc nfs-volume garden-runc notifications-ui diego staticfile-offline-buildpack nodejs-offline-buildpack nats go-offline-buildpack dotnet-core-offline-buildpack smb-volume	CVE-2025-22874 (High)
uaa	GHSA-4j3c-42xv-3f84 (CVE-2025-52434) (High)
nodejs-offline-buildpack	CVE-2025-4138 (High)
java-offline-buildpack	GHSA-hv5j-3h9f-99c2 (CVE-2023-28755) (High)
dotnet-core-offline-buildpack go-offline-buildpack r-offline-buildpack diego smb-volume mysql-monitoring nodejs-offline-buildpack nfs-volume garden-runc nats staticfile-offline-buildpack notifications pxc capi notifications-ui	CVE-2025-4673 (Medium)
java-offline-buildpack	CVE-2024-27282 (Medium)
diego	CVE-2024-23337 (Medium)
credhub cf-autoscaling	GHSA-6r3c-xf4w-jxjm (CVE-2025-41234) (Medium)
java-offline-buildpack	GHSA-7fc5-f82f-cx69 (CVE-2025-25186) (Medium)
nfs-volume	CVE-2025-4575 (Medium)
smb-volume nfs-volume cf-autoscaling	GHSA-vrw8-fxc6-2r93 (No known CVE) (Medium)
credhub uaa cf-autoscaling	GHSA-wc4r-xq3c-5cf3 (CVE-2025-49125) (Medium)
capi	GHSA-mxr3-8whj-j74r (CVE-2025-32955) (Medium)
java-offline-buildpack	GHSA-4h8f-2wvx-gg5w (CVE-2024-34447) (Medium)
java-offline-buildpack	GHSA-v435-xc8x-wvr9 (CVE-2024-30171) (Medium)
nodejs-offline-buildpack	CVE-2025-4516 (Medium)
java-offline-buildpack	GHSA-gh9q-2xrm-x6qv (CVE-2025-27219) (Medium)
pxc mysql-monitoring garden-runc nats capi notifications smb-volume go-offline-buildpack staticfile-offline-buildpack nodejs-offline-buildpack r-offline-buildpack diego notifications-ui nfs-volume dotnet-core-offline-buildpack	CVE-2025-0913 (Medium)
java-offline-buildpack	GHSA-m5vv-6r4h-3vj9 (CVE-2024-35255) (Medium)
java-offline-buildpack	GHSA-7g45-4rm6-3mm3 (CVE-2023-2976) (Medium)
routing cf-autoscaling	CVE-2025-49014 (Medium)
java-offline-buildpack	GHSA-m44j-cfrm-g8qc (CVE-2024-30172) (Medium)
java-offline-buildpack	GHSA-8xfc-gm6g-vgpv (CVE-2024-29857) (Medium)
nodejs-offline-buildpack	CVE-2024-12718 (Medium)
java-offline-buildpack	GHSA-hww2-5g85-429m (CVE-2023-36617) (Medium)
java-offline-buildpack	GHSA-p53j-g8pw-4w5f (CVE-2020-36843) (Medium)
capi	GHSA-vpfw-47h7-xj4g (CVE-2025-32441) (Medium)
java-offline-buildpack	GHSA-mhwm-jh88-3gjf (CVE-2025-27220) (Medium)
java-offline-buildpack	GHSA-5mg8-w23w-74h3 (CVE-2020-8908) (Low)
java-offline-buildpack	GHSA-22h5-pq3x-2gf2 (CVE-2025-27221) (Low)
uaa	GHSA-h2fw-rfh5-95r3 (CVE-2025-46701) (Low)