CVE-2025-24976

NameCVE-2025-24976
DescriptionDistribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
docker-registry (PTS)bullseye (security), bullseye2.7.1+ds2-7+deb11u1fixed
bookworm2.8.2+ds1-1fixed
sid, trixie2.8.3+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
docker-registrysource(unstable)(not affected)

Notes

- docker-registry <not-affected> (Vulnerable code introduced later)
https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc
Fixed by (merge commit): https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd (v3.0.0-rc.3)
Search for package or bug name: Reporting problems