CVE-2025-23208

CVE-2025-23208 is a vulnerability in zot, a production-ready vendor-neutral OCI image registry, published on 2025-01-17. It stems from improper handling of user group data in the boltdb database (meta.db), where groups are stored as an append-list, causing revocations or removals to be ignored by the API. Upon login, the SetUserGroups function appends new group memberships rather than replacing existing ones, potentially due to conflicts with config file group definitions. This breaks group-based authorization in any zot configuration dependent on Identity Provider (IdP) revocations, rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and mapped to CWE-269.

The vulnerability enables network-accessible attackers requiring no privileges to exploit it with low complexity and no user interaction. A user whose group access has been revoked by an IdP can log in and retain prior group memberships, as they are appended without removal, allowing continued unauthorized access to registry resources and bypassing intended controls for low impacts on confidentiality, integrity, and availability.

The issue is fixed in zot version 2.1.2, with users advised to upgrade immediately, as no workarounds exist. Details appear in the project-zot/zot security advisory at GHSA-c9p4-xwr9-rfhx, the patching commit 002ac62d8a15bf0cba010b3ba7bde86f9837b613, and affected code at pkg/meta/boltdb/boltdb.go line 1665.