CVE-2025-23208
CVE-2025-23208 is a high-severity vulnerability in Zotregistry Zot with a CVSS 3.x base score of 7.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-269.
Key facts
- Severity: High (CVSS 3.x base score 7.3)
- EPSS exploit prediction: 0% (31st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-0111
- Weakness: CWE-269
- Affected product: Zotregistry Zot
- Published:
- Last modified:
Description
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Frequently asked questions
- What is CVE-2025-23208?
- zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. This issue has been addressed in version 2.1.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- How severe is CVE-2025-23208?
- CVE-2025-23208 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2025-23208 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-23208?
- CVE-2025-23208 affects Zotregistry Zot. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-23208?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-23208 have an EU (EUVD) identifier?
- Yes. CVE-2025-23208 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-0111.
- When was CVE-2025-23208 published?
- CVE-2025-23208 was published on 2025-01-17 and last updated on 2026-06-17.
References
- https://github.com/project-zot/zot/blob/5e30fec65c49e3139907e2819ccb39b2e3bd784e/pkg/meta/boltdb/boltdb.go#L1665
- https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613
- https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx
Affected products (1)
- cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*
More vulnerabilities in Zotregistry Zot
- CVE-2026-31801 — High (CVSS 7.7): zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From…
- CVE-2024-39897 — Medium (CVSS 4.3): zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without…
All CVEs affecting Zotregistry Zot →
Other CWE-269 (Improper Privilege Management) vulnerabilities
- CVE-2026-31852 — Critical (CVSS 10.0): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is…
- CVE-2025-20282 — Critical (CVSS 10.0): A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-0505 — Critical (CVSS 10.0): On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain…
- CVE-2023-48418 — Critical (CVSS 10.0): In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW…
- CVE-2023-48419 — Critical (CVSS 10.0): An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege
- CVE-2023-31273 — Critical (CVSS 10.0): Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to…
Browse all CWE-269 (Improper Privilege Management) vulnerabilities →