0.13.1 - Please patch cve-2025-68121 - 10 CVSS

[gitandre]

Checks

• I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• I am using charts that are officially provided

Controller Version

0.11.0 and 0.12.1

Deployment Method

Helm

Checks

• This isn't a question or user support case (For Q&A and community support, go to Discussions).
• I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

Scan the image ghcr.io/actions/gha-runner-scale-set-controller:0.13.1 with aquasec trivy opensouce

Describe the bug

The following targets...

actions-metrics-server
ghalistener
github-webhook-server
manager
sleep

...have been identified to have cve-2025-68121

https://nvd.nist.gov/vuln/detail/cve-2025-68121

Describe the expected behavior

It should not have this or any critical CVEs

Additional Context

It should not have this or any critical CVEs

Controller Logs

It should not have this or any critical CVEs

Runner Pod Logs

It should not have this or any critical CVEs

[github-actions]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.