CVE-2025-1057: Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0
(updated )
The Keylime registrar implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the registrar will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.
This makes the Keylime registrar vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the registrar database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime registrar is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.
References
- access.redhat.com/security/cve/CVE-2025-1057
- bugzilla.redhat.com/show_bug.cgi?id=2343894
- github.com/advisories/GHSA-9jxq-5x44-gx23
- github.com/keylime/keylime
- github.com/keylime/keylime/commit/e08b10d86c3717006774e787542c190e2ba24fc7
- github.com/keylime/keylime/security/advisories/GHSA-9jxq-5x44-gx23
- nvd.nist.gov/vuln/detail/CVE-2025-1057
Detect and mitigate CVE-2025-1057 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →