edgecases-PurpleHax/cve-images

# cve-images — intentionally vulnerable lab images A collection of **deliberately vulnerable** Docker images for security study in an isolated lab. Started as nginx CVE reproductions and is growing into a broader set of vulnerable-by-design images (e.g. DVWA). ## nginx CVE images All built on a shared base that compiles **nginx 1.30.0 from source** — the last release affected by these CVEs (fixed in 1.30.1 / 1.31.0). | Directory | Image | CVE | Module / area | |---|---|---|---| | `base/` | `rwils83/nginx-vuln-base:1.30.0` | — | shared nginx 1.30.0 source build | | `cve-2026-42945-rewrite-lab/` | `rwils83/cve-2026-42945` | CVE-2026-42945 | rewrite module heap overflow (RCE) | | `cve-2026-42946-scgi-uwsgi-lab/` | `rwils83/cve-2026-42946` | CVE-2026-42946 | scgi/uwsgi buffer overread | | `cve-2026-40701-resolver-lab/` | `rwils83/cve-2026-40701` | CVE-2026-40701 | resolver use-after-free (OCSP) | | `cve-2026-42934-charset-lab/` | `rwils83/cve-2026-42934` | CVE-2026-42934 | charset module buffer overread | ## Application images | Directory | Image | Notes | |---|---|---| | `dvwa-curl-lab/` | `rwils83/dvwa_with_curl` | maintained DVWA (`ghcr.io/digininja/DVWA`) + curl/python3 | Each folder has its own `README.md` with details and references. ## Build locally The nginx base must be built first (the CVE images `FROM` it): docker build -t rwils83/nginx-vuln-base:1.30.0 ./base docker build -t rwils83/cve-2026-42945:1.30.0 ./cve-2026-42945-rewrite-lab docker build -t rwils83/cve-2026-42946:1.30.0 ./cve-2026-42946-scgi-uwsgi-lab docker build -t rwils83/cve-2026-40701:1.30.0 ./cve-2026-40701-resolver-lab docker build -t rwils83/cve-2026-42934:1.30.0 ./cve-2026-42934-charset-lab docker build -t rwils83/dvwa_with_curl:latest ./dvwa-curl-lab `./build_all.sh` builds the nginx set (base + 4 CVE images). ## Releases (GitHub Actions → Docker Hub) CI builds every `*-lab/` image on each PR/push (build-only, no push) to catch breakage before merge. Publishing is driven by git tags: | Tag pattern | Builds & pushes | Tags applied | |---|---|---| | `v*` (e.g. `v1.30.0-lab.2`) | the four nginx CVE images | `` + `:latest` | | `dvwa-v*` (e.g. `dvwa-v1`) | `dvwa_with_curl` | `` + `:latest` | git tag v1.30.0-lab.2 && git push --tags # release the nginx images git tag dvwa-v1 && git push --tags # release DVWA Publishing requires the repo secrets `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`.