CVE-2025-23208 - Zot OCI Registry Ignores Group Removals – What You Need To Know

Published: June 2024
Impact: Improper Group Revocation in Zot’s User Authorization
Affected Versions: All before 2.1.2
Score: High (Authorization Bypass)

Introduction

If you’re running your own container images registry using Zot, you might rely on its authentication and group-based authorization features to control user access. However, a new security issue (CVE-2025-23208) shows that removing a user from a group at your Identity Provider (IdP) isn't always enough—Zot may keep giving them the same access. This post will break down the vulnerability, how it happens, why it's risky, and how to fix it.

What Is Zot?

Zot is a vendor-neutral, OCI-compatible image registry designed for reliability and production use. It supports advanced authentication—including Single Sign-On (SSO)—and allows for group-based authorization.

What Is The Issue?

Summary:
When a user's group membership is changed at the IdP (like Okta, LDAP, etc.), Zot should update its own record to match. However, it was discovered that Zot doesn’t remove old group entries—it just keeps adding new groups to the user’s metadata. Therefore, even after revoking or removing a user’s group membership, Zot’s access control checks might still let them in as if nothing changed.

- Technical cause: In the boltdb (meta.db), group memberships are stored as append-lists, not replaced on each login.

Technical Details and Exploit

Where’s the bug?
The bug lies in the function handling group assignments on user login. In particular, the API endpoint calls SetUserGroups, which appends new group names instead of replacing the old list.

Relevant Code Snippet

// Inside user management code in Zot (before fix)

func (db *userDB) SetUserGroups(username string, groups []string) error {
    currentGroups := db.GetUserGroups(username)
    updatedGroups := append(currentGroups, groups...) // <--- here's the problem
    db.WriteGroups(username, updatedGroups)
    return nil
}

Deleting a group for a user at the IdP does NOT remove it from Zot’s database.

What’s the impact?
Suppose you have two groups: dev-team and qa-team. Alice was in both, but you recently removed her from qa-team at your IdP. She logs into Zot again. Because of this bug, Zot still treats Alice as a member of qa-team, even after her official membership ended. Any authorization rules based on groups become unreliable.

No error or warning is produced.

Video PoC: Demonstration on YouTube *(not a real PoC, for illustration only)*

Mitigation and Fix

Status:
The issue was fixed in Zot 2.1.2.

Patch:
The bug is fixed by overwriting the user's group assignments on each login instead of appending.

Fixed Code:

func (db *userDB) SetUserGroups(username string, groups []string) error {
    db.WriteGroups(username, groups) // Overwrite! Not append.
    return nil
}

Upgrade Zot to 2.1.2 or newer as soon as possible.

2. Check your user/group assignments after upgrading to ensure they match your IdP.

References

- Official Zot Security Advisory
- Zot 2.1.2 Release Notes
- CVE Record for CVE-2025-23208
- Zot Documentation

Conclusion

CVE-2025-23208 is a silent but serious flaw: even after you do everything right at the Identity Provider, Zot’s old records let users keep access they shouldn’t have. If you use group-based authorization, this directly impacts your security posture.

Immediate Action:
All users should update to Zot 2.1.2 or later right away. There is no safe workaround.

For maximum security, regularly audit your user and group assignments—both at the IdP *and* in Zot.

Timeline

Published on: 01/17/2025 23:15:13 UTC