Catalog | build with confidence

busybox

latest

A minimal Linux environment with BusyBox, a lightweight implementation of common Unix utilities in a single executable. BusyBox combines tiny versions of many common Unix utilities into a single small executable, providing replacements for most of the utilities you would usually find in GNU fileutils, shellutils, etc.

Getting Started

To pull the image:

docker pull registry.hardened.eu/library/busybox:latest

Verifying Image Signatures

All Hardened B.V. images are signed using cosign. You can verify the signature using the following steps:

Save the public key:

cat >hardened.pub <<EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbxhUFlXkIIbDzdRAR9rc6kDPNb+k
J48lhqqlOMyiq3jkbKXNj2sEFMduFlNh63MrZA59PKf4TjS1AiCrvaFXNA==
-----END PUBLIC KEY-----
EOL

Verify the image signature:

cosign verify --key hardened.pub registry.hardened.eu/library/busybox:latest

The verification will show the signature details and confirm the image’s authenticity.

To verify the SBOM, run the following command:

cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/busybox:latest

To download the SBOM, run the same command and decode it:

cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/busybox:latest | jq -r .payload | base64 -d | jq -r .predicate > busybox-spdx.json

Trademarks

This software is packaged by Hardened B.V. All trademarks are property of their respective owners. Use of these images does not imply any affiliation or endorsement.

The latest tag is only public. Contact us for detailed information.

Hash	Tag	Size (compressed)	Last updated	Actions
sha256:eb1fab1e06e36...	latest x86_64	0.91 MB	18:02:28 05/08/2025 UTC (Calculating...)
••••••••••••	••••••••••••	••••••••••••	••••••••••••	Contact Hardened

Showing 3 packages

Package	Version	License
alpine-os-release	3.22-r2	MIT
busybox	1.37.0-r19	GPL-2.0-only
musl	1.2.5-r10	MIT

	CVE	Severity	Package	Version	Fixed In
	CVE-2024-58251	Low	busybox	1.37.0-r19	Not fixed
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. CVE: CVE-2024-58251 Package: busybox Version: 1.37.0-r19 Severity: LOW Fixed In: Not fixed
	CVE-2025-46394	Low	busybox	1.37.0-r19	Not fixed
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. CVE: CVE-2025-46394 Package: busybox Version: 1.37.0-r19 Severity: LOW Fixed In: Not fixed

busybox

GPL-2.0 (strong-copyleft)

MIT (permissive)

Compare Images