Platform
go
Component
zotregistry.dev/zot
Fixed in
2.1.3
2.1.2
CVE-2025-23208 describes a vulnerability in zotregistry.dev/zot where group membership revocation is ignored. This allows an attacker to potentially bypass access controls and gain unauthorized access to resources. The vulnerability impacts versions prior to 2.1.2. A fix is available in version 2.1.2.
This vulnerability allows an attacker to circumvent the intended revocation process for group memberships within the Zot identity provider (IdP). If a user's group membership is revoked, the system should prevent them from accessing resources associated with that group. However, due to this flaw, a revoked user may retain access. The potential impact is unauthorized access to sensitive data or functionality controlled by the group. The blast radius depends on the permissions granted to the affected group; a highly privileged group could lead to significant data breaches or system compromise. This bypass could be exploited in conjunction with other vulnerabilities to escalate privileges or gain broader access.
This CVE was published on 2025-01-28. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not currently available. The vulnerability's impact is contingent on the specific group membership and access controls in place.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 2.1.2 or later of zotregistry.dev/zot. If upgrading immediately is not possible, consider implementing temporary workarounds. While a direct workaround is not readily available, carefully review and restrict access permissions granted to groups to minimize the potential impact of a successful bypass. Monitor Zot logs for unusual access patterns or attempts to access resources after group revocation. Consider implementing stricter authentication and authorization policies to limit the potential damage from unauthorized access.
Actualice zot a la versión 2.1.2 o superior. Esta versión corrige la vulnerabilidad que ignora la revocación de membresía de grupos IdP. La actualización asegura que los permisos de usuario se gestionen correctamente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23208 is a HIGH severity vulnerability affecting Zot versions before 2.1.2, allowing attackers to bypass group membership revocation and potentially gain unauthorized access.
If you are using Zot versions prior to 2.1.2, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade to version 2.1.2 or later of zotregistry.dev/zot to remediate the vulnerability. If immediate upgrade is not possible, implement temporary access control restrictions.
There is currently no public information indicating that CVE-2025-23208 is being actively exploited.
Refer to the Zot project's official advisory channels for the most up-to-date information regarding CVE-2025-23208.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.