CVE-2025-24976: Docker Distribution Vulnerability in Token Authentication

Docker Distribution is a valuable toolkit that assists developers in packing, shipping, storing, and delivering containerized content. However, a serious security vulnerability was recently identified in systems that run registry versions 3..-beta.1 through 3..-rc.2, with token authentication enabled. Token authentication, in these cases, may permit an attacker to inject an untrusted signing key in a JSON Web Token (JWT). The issue stems from an oversight in the JSON Web Key (JWK) verification process.

Details

When a JWT showcases a JWK header without a certificate chain, the code merely checks if the KeyID (kid) aligns with one of the trusted keys. However, it does not confirm whether the actual key material matches. Consequently, this lapse in verification leaves systems vulnerable to exploitation by attackers who can inject untrusted signing keys.

Here is the vulnerable code snippet

# Check if the KeyID matches one of the trusted keys
if jwk.kid and jwk.kid in trusted_keys:
    # Verify the key material
    verified_key = trusted_keys[jwk.kid]
    # TODO: Check if the actual key material matches

Thankfully, a fix for the issue has been implemented and can be found at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd. This fix is slated to be included in version 3..-rc.3 of the Docker Distribution.

Unfortunately, if a system mandates token authentication, there is no viable workaround in place without implementing the necessary patch.

Recommendations

- Upgrade to Docker Distribution Registry version 3..-rc.3, once it is released, to incorporate the fix.
- For those operating registry with token authentication, apply the aforementioned patch to ensure protection against this vulnerability.

References

- Docker Distribution Repository: https://github.com/docker/distribution
- Commit with the fix: 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd

Conclusion

This security vulnerability (CVE-2025-24976) in Docker Distribution Registry is an important reminder for developers to carefully review their token authentication processes and ensure that proper verification of key material is in place. Upgrading to version 3..-rc.3 and integrating the available fix for this issue will go a long way in strengthening the security of containerized environments.

Timeline

Published on: 02/11/2025 16:15:52 UTC