What is CVE-2025-23208?

CVE-2025-23208 is a high-severity vulnerability in Project-zot Zot, classified under Improper Privilege Management. CVSS score: 7.3/10. Published 2025-01-17.

How severe is CVE-2025-23208?

High severity. CVSS v3 base score is 7.3 out of 10.

Privilege escalation in Project-zot Zot

CVE-2025-23208

zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but inst…

Vulnerability class: Privilege Escalation

EPSS: 0.001 (28.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

Project-zot Zot — versions < 2.1.2

Weakness classification (CWE)

CWE-269 — Improper Privilege Management

References

https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx (x_refsource_CONFIRM)
https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613 (x_refsource_MISC)
https://github.com/project-zot/zot/blob/5e30fec65c49e3139907e2819ccb39b2e3bd784e/pkg/meta/boltdb/boltdb.go#L1665 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-23208?: CVE-2025-23208 is a high-severity vulnerability in Project-zot Zot, classified under Improper Privilege Management. CVSS score: 7.3/10. Published 2025-01-17.
How severe is CVE-2025-23208?: High severity. CVSS v3 base score is 7.3 out of 10.