Medium severityNVD Advisory· Published May 22, 2025· Updated Apr 15, 2026

CVE-2025-48374

Description

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup. Version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
zotregistry.dev/zotGo	< 1.4.4-0.20250522160828-8a99a3ed231f	1.4.4-0.20250522160828-8a99a3ed231f

Patches

8a99a3ed231f

Merge commit from fork

https://github.com/project-zot/zotAndrei AaronMay 22, 2025via ghsa

commit

1 file changed · +27 −5

pkg/api/config/config.go+27 −5 modified

@@ -331,14 +331,36 @@ func (c *Config) Sanitize() *Config {
 		panic(err)
 	}
 
-	if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
-		sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
+	// Sanitize HTTP config
+	if c.HTTP.Auth != nil {
+		// Sanitize LDAP bind password
+		if c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
+			sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
 
-		if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
-			panic(err)
+			if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
+				panic(err)
+			}
+
+			sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
 		}
 
-		sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
+		// Sanitize OpenID client secrets
+		if c.HTTP.Auth.OpenID != nil {
+			sanitizedConfig.HTTP.Auth.OpenID = &OpenIDConfig{
+				Providers: make(map[string]OpenIDProviderConfig),
+			}
+
+			for provider, config := range c.HTTP.Auth.OpenID.Providers {
+				sanitizedConfig.HTTP.Auth.OpenID.Providers[provider] = OpenIDProviderConfig{
+					Name:         config.Name,
+					ClientID:     config.ClientID,
+					ClientSecret: "******",
+					KeyPath:      config.KeyPath,
+					Issuer:       config.Issuer,
+					Scopes:       config.Scopes,
+				}
+			}
+		}
 	}
 
 	if c.IsEventRecorderEnabled() {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c37v-3c8w-crq8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-48374ghsaADVISORY
github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15envdWEB
github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8nvdWEB
pkg.go.dev/vuln/GO-2025-3705ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000