Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-27403
CVE-2025-27403:
vulnerability analysis and mitigation
Overview
CVE-2025-27403 affects Ratify, a verification engine for Kubernetes that enables verification of artifact security metadata. The vulnerability was discovered in versions prior to 1.2.3 and 1.3.2, where Ratify's Azure authentication providers failed to properly verify target registries during token exchange processes. The issue was disclosed on March 11, 2025, and has been assigned a CVSS v4.0 score of 7.2 (HIGH) (NVD, GitHub Advisory).
Technical details
The vulnerability stems from improper validation in Ratify's Azure authentication providers when configured to authenticate to a private Azure Container Registry (ACR). When attempting to exchange an Entra ID (EID) token for an ACR refresh token, the providers did not verify that the target registry was indeed an ACR endpoint. This lack of validation could allow the EID token to be presented to non-ACR registries during token exchange. The vulnerability has been assigned a CVSS vector string of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L (GitHub Advisory).
Impact
If exploited, this vulnerability could allow attackers to extract and abuse Entra ID (EID) tokens with ACR access. The impact is particularly severe if a user workload contains an image reference to a malicious registry, as the compromised token could potentially be used to perform unauthorized actions within the ACR, such as accessing sensitive resources or escalating privileges (TheSecMaster).
Mitigation and workarounds
The vulnerability has been patched in Ratify versions 1.2.3 and 1.3.2. The fix implements registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will only proceed if at least one of the configured well-known domain suffixes matches the registry domain of the image reference. Users are strongly advised to upgrade to these patched versions (GitHub Advisory).
Community reactions
The vulnerability was responsibly disclosed by Shiwei Zhang and Binbin Li, with active mitigation efforts from Binbin Li and Akash Singhal. The security community has recognized this as a significant security issue, particularly for organizations using Ratify with Azure Container Registry integrations (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management