5.5

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-48374

GHSA ID

GHSA-c37v-3c8w-crq8

EPSS Score

0.03705%

CWE

CWE-532

Published

5/22/2025

Updated

5/22/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48374

CVE-2025-48374: zot logs secrets

Summary

When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.

Details

Container Image (15.04.2025): ghcr.io/project-zot/zot-linux-amd64:latest Here is an example how the configuration can look which causes the above stated problem:

http: address: "0.0.0.0" port: 5000 externalUrl: "https://zot.example.com" auth: { failDelay: 1, openid: { providers: { oidc: { name: "Keycloak", clientid: "zot-client-id", clientsecret: fsdfkmmiwljasdklfsjaskldjfkljewijrf234i52k3j45l, keypath: "", issuer: "https://keycloak.example.com/realms/example", scopes: ["openid"] } } } }

PoC

Set up a blank new zot k8s deployment with the code snippet above.

Impact

exposure of secrets, on configuring a oidc provider

(GitHub Advisory)

5.5

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-48374

GHSA ID

GHSA-c37v-3c8w-crq8

EPSS Score

0.03705%

CWE

CWE-532

Published

5/22/2025

Updated

5/22/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
zotregistry.dev/zot	go	< 1.4.4-0.20250522160828-8a99a3ed231f	1.4.4-0.20250522160828-8a99a3ed231f

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-c37v-3c8w-crq8 / CVE-2025-48374) describes the logging of OIDC client secrets. The provided commit 8a99a3ed231fdcd8467e986182b4705342b6a15e directly addresses this by modifying the Sanitize method within pkg/api/config/config.go. This method is designed to redact sensitive information from the application's configuration. The patch introduces specific logic to iterate over OIDC providers in the configuration and replace their ClientSecret field with a placeholder ('******').

The vulnerability occurred because, prior to this patch, the Sanitize method lacked this specific redaction step for OIDC client secrets, even though it handled other secrets like LDAP bind passwords. When the application logged its configuration (e.g., at startup), it likely used the output of this Sanitize method. Since the OIDC client secrets were not redacted by the then-current version of Sanitize, they were written to the logs.

Therefore, the config.(*Config).Sanitize method, in its state before the patch, is the function that failed to properly process and redact the sensitive OIDC client secret, directly leading to its exposure when the configuration was logged. This function would be active in the code path that prepares configuration for logging, and its failure to redact the secret is the root cause of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n usin* K*y*lo*k *s *n oi** provi**r, t** *li*nts**r*t **ts print** into t** *ont*in*r st*out lo*s *or *n *x*mpl* *t *ont*in*r st*rtup. ### **t*ils *ont*in*r Im*** (**.**.****): ***r.io/proj**t-zot/zot-linux-*m***:l*t*st **r* is *n *x

Reasoning

T** vuln*r**ility (**S*-***v-***w-*rq* / *V*-****-*****) **s*ri**s t** lo**in* o* OI** *li*nt s**r*ts. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y mo*i*yin* t** `S*nitiz*` m*t*o* wit*in `pk*/*pi/*on*i*/*o

5.5

Basic Information

Concerned about an active attack path?

CVE-2025-48374: zot logs secrets

Summary

Details

PoC

Impact

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI