How severe is CVE-2025-24976?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-24976?

This is classified as CWE-639, which is a common weakness in software security.

CVE-2025-24976 - MEDIUM Severity | CVSS N/A

Vulnerability Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.

Related Vulnerabilities

CVE-2024-45032

CRITICAL

CVSS:10.0(Critical)

A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge Management Virtual (All versions < V2.3.1-1). Affected components do not properly validat...

CWE-6392024

CVE-2022-1810

CRITICAL

CVSS:9.9(Critical)

Authorization Bypass Through User-Controlled Key in GitHub repository publify/publify prior to 9.2.9.

CWE-6392022

CVE-2019-12866

CRITICAL

CVSS:9.8(Critical)

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue was fixed in 2018.4.49168.

CWE-6392019

CVE-2019-13360

CRITICAL

CVSS:9.8(Critical)

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, remote attackers can bypass authentication in the login process by leveraging knowledge of a valid username.

CWE-6392019

CVE-2019-15913

CRITICAL

CVSS:9.8(Critical)

An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive informat...

CWE-6392019

CVE-2019-9756

CRITICAL

CVSS:9.8(Critical)

An issue was discovered in GitLab Community and Enterprise Edition 10.x (starting from 10.8) and 11.x before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Incorrect Access Control, a...

CWE-6392019