CVE-2025-23208

Name of the Vulnerable Software and Affected Versions zot versions prior to 2.1.2

Description The issue arises from the way group data is stored for users in the boltdb database, specifically as an append-list. This leads to group revocations or removals being ignored in the API. When a user logs in, the SetUserGroups function is called, but instead of replacing the existing group memberships, it appends new ones. This can cause conflicts with group definitions in the config file, although the exact nature of this conflict is not immediately clear. As a result, any Zot configuration relying on group-based authorization will not respect group removal or revocation by an Identity Provider (IdP).

Recommendations For versions prior to 2.1.2, upgrade to version 2.1.2 or later to address the issue. As a temporary workaround, consider restricting access to the SetUserGroups function until a patch is available. Avoid using the UserData variable in the bbolt get meta.db command to prevent appending meaningless duplicate entries. Restrict access to the boltdb database to minimize the risk of exploitation.