CVE-2025-24882 - How Attackers Can Trick Docker Images with regclient in Go (With Fixes and Exploit Details)

If you use regclient – a popular Docker and OCI Registry Client library in Go – you might be at risk from a recent security vulnerability: CVE-2025-24882. This post explains what went wrong, shows you how attackers could abuse this bug, and how to protect your builds. You’ll also see code snippets and reference links so you can understand the issue and solution – all in plain language.

What is regclient and Why Does it Matter?

When working with containers, Go developers often use regclient to talk to Docker or OCI registries. It helps fetch or push images by communicating with remote registries (like Docker Hub or a private registry in your company).

What’s the Vulnerability? (CVE-2025-24882 Explained)

Summary:
A malicious or compromised registry could send a _different image_ than you expect, even when you ask for a specific digest. This happens because regclient didn’t verify the digest returned by the registry – giving attackers a way to slip in a different image.

Why is this dangerous?
Imagine you’re deploying a critical app, and you _think_ you’re pulling a trusted image. But because of this bug, if the registry is under attacker control (or compromised), you could get malware instead.

The Technical Details (Simple Explanation)

- When you request an image from a registry, you often ask for it by “digest” (a unique cryptographic hash).

The registry returns the manifest (the image description and content).

- regclient, before v.7.1, would _accept whatever manifest the registry returned_ – and did not check if its computed digest matches what you asked for.

Exploiting CVE-2025-24882: A Simple Attack Demo

Let’s walk through how an attacker could use this bug.

Step 1: Set up a Malicious Registry

Suppose an attacker controls a registry (evil.registry.com). You, the victim, expect to get a “hello-world” image with a known digest.

Your Go code (using regclient) might look like

import "github.com/regclient/regclient"

rc := regclient.New()
img, err := rc.ImageGet(ctx, "evil.registry.com/hello-world@sha256:DEADBEEF...";)
if err != nil {
    panic(err)
}
// img is assumed to be the "correct" image...

Step 3: The Registry Sends a DIFFERENT Manifest

The attacker's registry responds with a manifest for a malicious image, but regclient doesn’t check the digest. regclient happily returns the content to your code.

Step 4: Malicious Code Runs

You build or deploy from the bogus manifest – and end up running an attacker’s image!

The Code that Got Fixed

The problem was that the digest wasn’t verified after download.

Vulnerable

// Fetch manifest from registry
manifest, _ := http.Get(manifestURL)
// OOPS: Doesn't check if digest matches!
return manifest

Fixed Version

// Fetch manifest bytes
manifestBytes, _ := http.Get(manifestURL)
// Verify digest
actualDigest := sha256.Sum256(manifestBytes)
if actualDigest != expectedDigest {
    // This is suspicious!
    return errors.New("manifest digest mismatch")
}
return manifestBytes

Now you can’t get tricked by the registry – regclient double-checks the content hash.

Update regclient to v.7.1 or later:

GitHub Release Notes for .7.1

`bash

go get github.com/regclient/regclient@v.7.1

References

- regclient Security Advisory for CVE-2025-24882
- regclient GitHub Release (.7.1)
- CVE Record for CVE-2025-24882

TL;DR

CVE-2025-24882 lets a bad registry trick you into pulling the wrong Docker image if you use regclient Go library before v.7.1. Update now to stay safe!

Let’s all keep our supply chains secure – one patch at a time. 🚀


If this helped you, please share or drop questions below!

Timeline

Published on: 01/29/2025 18:15:47 UTC