CVE-2025-24976
Description
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
28v3.0.0-beta.1, v3.0.0-rc.1, v3.0.0-rc.2+ 1 more
- (no CPE)range: v3.0.0-beta.1, v3.0.0-rc.1, v3.0.0-rc.2
- (no CPE)range: >=3.0.0-beta.1, <=3.0.0-rc.2
- osv-coords26 versionspkg:apk/chainguard/harbor-2.13pkg:apk/chainguard/harbor-2.13-exporterpkg:apk/chainguard/harbor-2.14pkg:apk/chainguard/harbor-2.14-jobservicepkg:apk/chainguard/harbor-2.15pkg:apk/chainguard/harbor-2.15-exporterpkg:apk/chainguard/harbor-fips-2.13pkg:apk/chainguard/harbor-fips-2.13-registryctlpkg:apk/chainguard/harbor-fips-2.14pkg:apk/chainguard/harbor-fips-2.14-jobservicepkg:apk/chainguard/harbor-fips-2.15-exporterpkg:apk/chainguard/harbor-fips-2.15-jobservicepkg:apk/chainguard/harbor-fips-2.15-registryctlpkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/zotpkg:apk/wolfi/harbor-2.13pkg:apk/wolfi/harbor-2.13-exporterpkg:apk/wolfi/harbor-2.14pkg:apk/wolfi/harbor-2.14-jobservicepkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/zotpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 25 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 2.1.2-r2
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 1.124.3-r1
- (no CPE)range: < 2.1.2-r2
- (no CPE)range: < 0.0.20250312T181707-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.