CVE-2025-48374: 
vulnerability analysis and mitigation

CVE-2025-48374 affects zot, a container image/artifact registry based on the Open Container Initiative Distribution Specification. The vulnerability was discovered and disclosed on May 22, 2025. The issue affects versions prior to 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f) when using Keycloak as an OIDC provider (GitHub Advisory).

The vulnerability occurs when using Keycloak as an OIDC provider, where the client secret gets exposed by being printed into the container stdout logs at container startup. The issue has been assigned a CVSS v4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P. The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File (NVD).

The primary impact of this vulnerability is the exposure of sensitive authentication secrets. When an OIDC provider like Keycloak is configured, the client secret credentials are logged in plaintext to the container's stdout, potentially exposing these credentials to unauthorized users who have access to the container logs (GitHub Advisory).

The vulnerability has been fixed in version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f). Users should upgrade to this version or later to prevent the exposure of client secrets in logs. The fix includes proper sanitization of sensitive information in the configuration (GitHub Commit).