CVE-2025-23208 - Zot Image Registry Group Revocation/Removal Ignored, leading to potential Unauthorized Access

---
Zot is a widely used, production-ready, and vendor-neutral OCI image registry that provides capabilities for storing and managing container images. However, a vulnerability (CVE-2025-23208) has been identified related to group revocations/removals, which can potentially lead to unauthorized access. In this post, we will explore the details of the vulnerability, the affected versions, and the remediation steps required to mitigate this issue.

Vulnerability Details

---
The vulnerability stems from the way group data is stored for users in the boltdb database (meta.db) as an append-list. When the SetUserGroups function is called during login, instead of replacing the group memberships, they are simply appended. This can result in situations where group-based authorization may not respect group removal/revocation by an Identity Provider (IdP).

Code Snippet

---
Here's a code snippet that demonstrates the appending behavior instead of replacing the group memberships:

func SetUserGroups(user *User, newGroups []string) error {
  for _, group := range newGroups {
    if !user.IsMemberOf(group) {
      user.Groups = append(user.Groups, group)
    }
  }
  return nil
}

As we can see here, the code appends the new groups without properly handling group revocation or removal.

Affected Versions

---
The group revocation/removal vulnerability affects all versions of Zot up to and including version 2.1.1.

Remediation

---
To address this issue, the Zot project has released version 2.1.2, which includes the necessary fixes. All users are advised to upgrade to v2.1.2 as soon as possible. The updated version can be downloaded from the following link:

- Zot v2.1.2 Release

There are no known workarounds for this vulnerability, so it is highly recommended to update to the latest version to prevent any potential unauthorized access.

Conclusion

---
Security issues, like CVE-2025-23208, can have a significant impact on users and leveraging group-based authorization configurations. Immediate action, such as upgrading to Zot version 2.1.2, is crucial to ensuring the integrity and security of the Zot image registry. Ensure that you continuously monitor for updates and patches to maintain the security posture of your environment.

Original References

---
For detailed information on this vulnerability and the associated patch, you can refer to the following sources:

- CVE-2025-23208 CVE Details
- Zot Repository and Release Notes

Timeline

Published on: 01/17/2025 23:15:13 UTC