CVE-2025-24976: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

Distribution, a toolkit for container content management, has reported a security vulnerability (CVE-2025-24976) affecting registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled. The vulnerability was discovered on February 11, 2025, and allows attackers to inject untrusted signing keys in JSON Web Tokens (JWT). This vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Moderate) (Red Hat CVE).

The vulnerability stems from improper JSON Web Key (JWK) verification in the token authentication process. When a JWT contains a JWK header without a certificate chain, the code only validates the KeyID ('kid') match with trusted keys but fails to verify the actual key material. This implementation flaw is tracked as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD, GitHub Advisory).

The vulnerability enables attackers to bypass authentication controls by injecting untrusted signing keys in JWTs. This could lead to unauthorized access and potential privilege escalation, with CVSS metrics indicating low confidentiality and integrity impact but no availability impact (Red Hat CVE).

A fix has been implemented in version 3.0.0-rc.3 and is available in commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd. There are no workarounds available for systems requiring token authentication; updating to the patched version is the only solution (GitHub Commit).