Token Authentication Vulnerability in Docker Distribution by Docker, Inc.
CVE-2025-24976

6.6MEDIUM

Key Information:

Vendor: Distribution
Status: Distribution
Vendor: CVE Published:; 11 February 2025

🔔 Create Distribution Vulnerability Alert

What is CVE-2025-24976?

A vulnerability in Docker Distribution allows an attacker to exploit token authentication when using versions 3.0.0-beta.1 through 3.0.0-rc.2. The flaw resides in the verification process of JSON web keys (JWK). If a JSON web token (JWT) is received with a JWK header lacking a certificate chain, the system merely checks if the KeyID (kid) corresponds to a trusted key without validating the actual key material. This oversight can enable malicious actors to inject untrusted signing keys, jeopardizing the integrity of the token authentication process. To mitigate this vulnerability, users must apply the provided patch available in commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd in the forthcoming version 3.0.0-rc.3, as workarounds are insufficient for secure token authentication.

Affected Version(s)

distribution >= 3.0.0-beta.1, <= 3.0.0-rc.2

References

https://github.com/distribution/distribution/security/adv...

x_refsource_CONFIRM

https://github.com/distribution/distribution/commit/f4a50...

x_refsource_MISC

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 29, 2025

CVE-2025-24976 Data

JSON