CVE-2025-23208
📋 TL;DR
CVE-2025-23208 is an authorization bypass vulnerability in Zot OCI image registry where group membership changes from identity providers are not properly processed. When users are removed from groups via IdP, Zot continues to grant them access based on previous group memberships. This affects any Zot deployment using group-based authorization with external identity providers.
💻 Affected Systems
- project-zot/zot
📦 What is this software?
Zot by Zotregistry
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users maintain access to protected container images and registry functions after being removed from authorized groups, potentially leading to data exfiltration, unauthorized modifications, or privilege escalation.
Likely Case
Former employees or contractors retain access to container registries after their group memberships are revoked, violating least privilege principles and potentially exposing sensitive container images.
If Mitigated
With proper network segmentation and additional authentication layers, the impact is limited to unauthorized access within the registry's scope rather than broader system compromise.
🎯 Exploit Status
Exploitation requires valid user credentials and knowledge of group-based authorization configuration. Attackers must first gain legitimate access, then maintain it after group revocation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2
Vendor Advisory: https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx
Restart Required: No
Instructions:
1. Backup current Zot configuration and data. 2. Stop Zot service. 3. Upgrade to version 2.1.2 using package manager or manual installation. 4. Verify configuration compatibility. 5. Restart Zot service. 6. Test group revocation functionality.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement additional authorization layer (e.g., API gateway with separate group validation)
- Monitor and manually revoke user sessions when group changes occur in IdP
🔍 How to Verify
Check if Vulnerable:
Check Zot version: if running version <2.1.2 AND using group-based authorization with external IdP, the system is vulnerable.Check Version:
zot --versionVerify Fix Applied:
After upgrading to 2.1.2, test group revocation: 1. Add test user to authorized group via IdP. 2. Verify user can access protected resources. 3. Remove user from group via IdP. 4. Verify user access is properly revoked.📡 Detection & Monitoring
Log Indicators:
- Users accessing resources after group revocation timestamps
- Repeated successful authentication from users not in current authorized groups
Network Indicators:
- API requests to protected endpoints from users whose groups were recently revoked
SIEM Query:
source="zot" AND (event="access_granted" OR event="authentication_success") | join user_id with [source="idp" event="group_membership_change" action="remove"]