diff --git a/Dockerfile b/Dockerfile
index 5f5e6a5..1b8cfa3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,4 +19,11 @@ RUN make clean install
 # Clean up build dependencies
 RUN rm -r /home/crawleruser/.m2
 
+# Remove ruby-maven and ruby-maven-libs gems, which are only needed at build time
+# for JAR dependency resolution. This also removes the bundled plexus-utils-3.5.1.jar
+# (CVE-2025-67030) from the production image.
+RUN rm -rf /usr/local/bundle/gems/ruby-maven-* \
+    /usr/local/bundle/specifications/ruby-maven-* \
+    /usr/local/bundle/cache/ruby-maven-*
+
 ENTRYPOINT [ "/bin/bash" ]
diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi
index 74ea449..160cdb1 100644
--- a/Dockerfile.wolfi
+++ b/Dockerfile.wolfi
@@ -52,6 +52,13 @@ RUN make clean install
 # add more directories and files not to be copied to the runtime image from /home/app
 RUN rm -rf .git .github .idea .devcontainer .buildkite
 
+# Remove ruby-maven and ruby-maven-libs gems, which are only needed at build time
+# for JAR dependency resolution. This also removes the bundled plexus-utils-3.5.1.jar
+# (CVE-2025-67030) from the production image.
+RUN rm -rf /usr/local/bundle/gems/ruby-maven-* \
+    /usr/local/bundle/specifications/ruby-maven-* \
+    /usr/local/bundle/cache/ruby-maven-*
+
 # Create custom JDK using jlink
 RUN jlink \
     --add-modules java.base,jdk.crypto.ec,java.logging,java.management,java.naming,java.net.http,java.scripting,java.security.jgss,java.security.sasl,java.sql,jdk.unsupported \