CVE-2025-23208
Published: 17 January 2025
Summary
CVE-2025-23208 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Zotregistry Zot. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the code flaw in zot's SetUserGroups function by requiring identification, reporting, and correction through timely patching to version 2.1.2.
Mandates proper management, assignment, and revocation of user group memberships to ensure IdP revocations are enforced and unauthorized access is prevented.
Requires access enforcement mechanisms to restrict logical access based on current, accurate group authorizations, addressing the API's failure to respect group removals.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OCI registry (zot) allows network exploitation without privileges to bypass group-based authorization revocations, enabling abuse of valid accounts for unauthorized access.
NVD Description
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the…
more
group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-23208 is a vulnerability in zot, a production-ready vendor-neutral OCI image registry, published on 2025-01-17. It stems from improper handling of user group data in the boltdb database (meta.db), where groups are stored as an append-list, causing revocations or removals to be ignored by the API. Upon login, the SetUserGroups function appends new group memberships rather than replacing existing ones, potentially due to conflicts with config file group definitions. This breaks group-based authorization in any zot configuration dependent on Identity Provider (IdP) revocations, rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and mapped to CWE-269.
The vulnerability enables network-accessible attackers requiring no privileges to exploit it with low complexity and no user interaction. A user whose group access has been revoked by an IdP can log in and retain prior group memberships, as they are appended without removal, allowing continued unauthorized access to registry resources and bypassing intended controls for low impacts on confidentiality, integrity, and availability.
The issue is fixed in zot version 2.1.2, with users advised to upgrade immediately, as no workarounds exist. Details appear in the project-zot/zot security advisory at GHSA-c9p4-xwr9-rfhx, the patching commit 002ac62d8a15bf0cba010b3ba7bde86f9837b613, and affected code at pkg/meta/boltdb/boltdb.go line 1665.
Details
- CWE(s)