During a security scan, some of the IDSP (VIP Auth hub) container images were flagged vulnerable.

IDSP version: Prior 4.0

Most of these vulnerabilities alerts are related to NodeJS version and its peer dependencies.

Other critical vulnerability CVE-2026-22184 affects the **standalone `untgz` binary** from zlib’s `contrib/` directory.

Upgrade to IDSP version 4.0.1.1015 to resolve this issue.

With IDSP version 4.0.1 these vulnerabilities are resolved.  As NodeJS and NPM versions get released, those are auto applied to the built Docker images for AdminConsole, SignIn, SignIn-Legacy, SelfServiceConsole.

In version 4.0.1.1015 the NodeJS being used is 25.3.0, with which most of the vulnerabilities are resolved.

IDSP 4.0.1.1015 had resolved all HIGH findings. All the critical findings were related to zlib, which is a FALSE POSITIVE and can be ignored. 

The critical vulnerability CVE-2026-22184 affects the **standalone `untgz` binary** from zlib’s `contrib/` directory.

Alpine’s **zlib package does not ship this binary**; it only ships the compression library (`libz.so`). Therefore the vulnerable code is not present in the image, and the finding is a false positive.