CVE-2025-23208: Zot IdP group membership revocation ignored

January 17, 2025

The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API.

References

github.com/advisories/GHSA-c9p4-xwr9-rfhx
github.com/project-zot/zot
github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613
github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx
nvd.nist.gov/vuln/detail/CVE-2025-23208

Detect and mitigate CVE-2025-23208 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →