CVE-2025-24882

regclient may ignore pinned manifest digests

Description

regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.

INFO

Published Date :

2025-01-29T17:40:07.496Z

Last Modified :

2025-01-29T17:52:45.827Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-24882 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-24882.

URL	Resource
https://github.com/regclient/regclient
https://github.com/regclient/regclient/commit/7d17cff26c22196b5ddd66bda8c5ee4abf3d1269
https://github.com/regclient/regclient/security/advisories/GHSA-qv35-3gw6-8q4j
https://nvd.nist.gov/vuln/detail/CVE-2025-24882
https://www.cve.org/CVERecord?id=CVE-2025-24882

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact