Systems running registry version > 3.0.0-beta.1 with token authentication enabled.
Update to at least v3.0.0-rc.3
There is no way to work around this issue without patching if your system requires token authentication.
The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches.
Here's the problematic flow:
kid in the JWK to match one of the trusted keys' IDs (which they could potentially discover)kid exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the signature| Score | Percentile |
|---|---|
| 0.11% | 30.20% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-phw4-mc57-4hwc ↗ |
| CVE | CVE-2025-24976 ↗ |
| CWE id | Name |
|---|---|
| CWE-639 | Authorization Bypass Through User-Controlled Key |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/distribution/distribution/v3 | > 3.0.0-beta.1, < 3.0.0-rc.3 | 3.0.0-rc.3 | — |