CVE-2025-24882

CVSS v4.0

5.8

Medium

Vector

AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions regclient versions prior to 0.7.1

Description A malicious registry could return a different digest for a pinned manifest without detection. This issue affects the regclient, a Docker and OCI Registry Client in Go.

Recommendations For versions prior to 0.7.1, update to version 0.7.1 to resolve the issue. As a temporary workaround, after running a regclient.ManifestGet, compare the returned digest to the requested digest to detect any discrepancies.

Exploit

Fix

Insufficient Verification of Data Authenticity

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-20

Related Identifiers

CVE-2025-24882

GHSA-QV35-3GW6-8Q4J

GO-2024-3038

Affected Products

Regclient

CVE-2025-24882

Weakness Enumeration

Related Identifiers

Affected Products

References · 11