CVE-2025-4374
📋 TL;DR
A privilege escalation vulnerability in Quay container registry allows users or robots to gain administrative permissions on newly created repositories when pulling unmirrored images through an organization proxy cache. This affects Quay deployments where organizations are configured as proxy caches.
💻 Affected Systems
- Red Hat Quay
📦 What is this software?
Quay by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control over repositories, allowing them to push malicious images, delete legitimate images, or modify repository configurations.
Likely Case
Accidental privilege escalation where legitimate users gain unintended admin access to repositories they shouldn't control.
If Mitigated
Limited impact with proper access controls and monitoring, though unauthorized admin access could still occur.
🎯 Exploit Status
Exploitation requires authenticated access to Quay and pulling an image that hasn't been mirrored through a proxy cache organization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisory for specific fixed versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-4374
Restart Required: Yes
Instructions:
1. Check Red Hat advisory for fixed Quay version
2. Update Quay to patched version
3. Restart Quay services
4. Verify proxy cache functionality
🔧 Temporary Workarounds
Disable proxy cache organizations
linuxTemporarily disable organizations acting as proxy caches until patched
# Modify Quay configuration to remove proxy cache settings
# Restart Quay services
Restrict image pulling permissions
allLimit which users/robots can pull images through proxy cache organizations
# Adjust Quay organization and repository permissions
# Review and tighten robot account permissions
🧯 If You Can't Patch
- Disable proxy cache functionality in all organizations
- Implement strict monitoring for repository permission changes and admin access
🔍 How to Verify
Check if Vulnerable:
Check if any Quay organizations are configured as proxy caches and review repository permission assignmentsCheck Version:
quay --version or check Quay container image tagVerify Fix Applied:
After patching, test pulling unmirrored images through proxy cache and verify no admin permissions are granted📡 Detection & Monitoring
Log Indicators:
- Unexpected repository creation events
- Permission escalation logs showing users gaining admin access
- Proxy cache pull requests for unmirrored images
Network Indicators:
- Increased image pull requests through proxy cache organizations
- Unusual repository configuration changes
SIEM Query:
search 'repository created' AND 'admin permission granted' OR 'proxy cache pull'