CVE-2025-48374: zot logs secrets

May 22, 2025 (updated May 28, 2025)

When using Keycloak as an oidc provider, the clientsecret gets printed into the container stdout logs for an example at container startup.

References

github.com/advisories/GHSA-c37v-3c8w-crq8
github.com/project-zot/zot
github.com/project-zot/zot/commit/8a99a3ed231fdcd8467e986182b4705342b6a15e
github.com/project-zot/zot/security/advisories/GHSA-c37v-3c8w-crq8
nvd.nist.gov/vuln/detail/CVE-2025-48374
pkg.go.dev/vuln/GO-2025-3705

Code Behaviors & Features

Detect and mitigate CVE-2025-48374 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →