Medium severity5.2NVD Advisory· Published Jan 29, 2025· Updated Apr 15, 2026
CVE-2025-24882
CVE-2025-24882
Description
regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/regclient/regclientGo | < 0.7.1 | 0.7.1 |
Patches
2cdfb08e81b177d17cff26c22Fix: Validate the digest of the ref when provided
3 files changed · +21 −5
scheme/reg/referrer.go+1 −1 modified@@ -209,7 +209,7 @@ func (reg *Reg) referrerListByAPIPage(ctx context.Context, r ref.Ref, config sch } m, err := manifest.New( - manifest.WithRef(r), + manifest.WithRef(r.SetDigest("")), manifest.WithHeader(resp.HTTPResponse().Header), manifest.WithRaw(rawBody), )
types/manifest/manifest.go+10 −2 modified@@ -102,6 +102,7 @@ type manifestConfig struct { type Opts func(*manifestConfig) // New creates a new manifest based on provided options. +// The digest for the manifest will be checked against the descriptor, reference, or headers, depending on which is available first (later digests will be ignored). func New(opts ...Opts) (Manifest, error) { mc := manifestConfig{} for _, opt := range opts { @@ -113,6 +114,13 @@ func New(opts ...Opts) (Manifest, error) { rawBody: mc.raw, rawHeader: mc.header, } + if c.r.Digest != "" && c.desc.Digest == "" { + dig, err := digest.Parse(c.r.Digest) + if err != nil { + return nil, fmt.Errorf("failed to parse digest from ref: %w", err) + } + c.desc.Digest = dig + } // extract fields from header where available if mc.header != nil { if c.desc.MediaType == "" { @@ -446,7 +454,7 @@ func fromOrig(c common, orig interface{}) (Manifest, error) { } // verify digest didn't change if origDigest != "" && origDigest != c.desc.Digest { - return nil, fmt.Errorf("manifest digest mismatch, expected %s, computed %s", origDigest, c.desc.Digest) + return nil, fmt.Errorf("manifest digest mismatch, expected %s, computed %s%.0w", origDigest, c.desc.Digest, errs.ErrDigestMismatch) } return m, nil } @@ -563,7 +571,7 @@ func fromCommon(c common) (Manifest, error) { } // verify digest didn't change if origDigest != "" && origDigest != c.desc.Digest { - return nil, fmt.Errorf("manifest digest mismatch, expected %s, computed %s", origDigest, c.desc.Digest) + return nil, fmt.Errorf("manifest digest mismatch, expected %s, computed %s%.0w", origDigest, c.desc.Digest, errs.ErrDigestMismatch) } return m, nil }
types/manifest/manifest_test.go+10 −2 modified@@ -828,7 +828,15 @@ func TestNew(t *testing.T) { wantE: fmt.Errorf("manifest contains an unexpected media type: expected %s, received %s", mediatype.OCI1Manifest, mediatype.OCI1ManifestList), }, { - name: "Invalid digest", + name: "Invalid ref digest", + opts: []Opts{ + WithRef(r.SetDigest(digestInvalid.String())), + WithRaw(rawDockerSchema2), + }, + wantE: errs.ErrDigestMismatch, + }, + { + name: "Invalid descriptor digest", opts: []Opts{ WithRef(r), WithRaw(rawDockerSchema2), @@ -838,7 +846,7 @@ func TestNew(t *testing.T) { Size: int64(len(rawDockerSchema2)), }), }, - wantE: fmt.Errorf("manifest digest mismatch, expected %s, computed %s", digestInvalid, digestDockerSchema2), + wantE: errs.ErrDigestMismatch, }, { name: "Invalid Media Type",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.