CVE-2025-48374: 
vulnerability analysis and mitigation

CVE-2025-48374 affects zot, a container image/artifact registry based on the Open Container Initiative Distribution Specification. The vulnerability was discovered and disclosed on May 22, 2025, affecting versions prior to 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f). The issue occurs when using Keycloak as an OIDC provider, where sensitive authentication information is exposed (GitHub Advisory, NVD).

The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File. When using Keycloak as an OIDC provider, the client secret credentials are logged in plaintext to the container's stdout logs at container startup. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P (Wiz, NVD).

The primary impact of this vulnerability is the exposure of sensitive authentication secrets. When an OIDC provider like Keycloak is configured, the client secret credentials are logged in plaintext to the container's stdout, potentially exposing these credentials to unauthorized users who have access to the container logs (GitHub Advisory).

The vulnerability has been fixed in version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f). Users should upgrade to this version or later to prevent the exposure of client secrets in logs. The fix includes proper sanitization of sensitive information in the configuration (GitHub Commit).