CVE-2025-4374 is a vulnerability in Project Quay, a container image registry platform widely used for managing and distributing container images. The flaw arises when an organization is configured to act as a proxy cache for container images. In this scenario, if a user or automated robot requests (pulls) an image that has not yet been mirrored or cached locally, the system erroneously grants the requester Admin permissions on the newly created repository that represents this image. This incorrect privilege assignment occurs without requiring any authentication or user interaction, effectively allowing unauthorized users to gain administrative control over repositories they should not have access to. The vulnerability affects multiple versions of Quay, including version 0, 2.14.0, and 3.12.0. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N). Although no known exploits have been reported in the wild, the vulnerability poses a risk of unauthorized repository control, which could lead to unauthorized image modifications, data leakage, or supply chain compromise. The issue is particularly critical in environments where proxy caching is used to optimize image distribution and where strict repository access controls are necessary. The vulnerability was assigned and published by Red Hat and enriched by CISA, indicating recognition by major security authorities. No patches or exploit indicators are currently available, so organizations must monitor vendor updates closely.

The primary impact of CVE-2025-4374 is unauthorized privilege escalation within Project Quay repositories. Attackers or automated systems can gain Admin permissions on newly created repositories without authentication, enabling them to modify, delete, or replace container images. This can compromise the integrity of container images, potentially introducing malicious code or backdoors into containerized applications. Confidentiality risks arise if sensitive image metadata or configurations are exposed or altered. Although availability is not directly impacted, the trustworthiness of container images is undermined, which can disrupt development pipelines, continuous integration/continuous deployment (CI/CD) workflows, and production environments. Organizations relying on Quay for container image management, especially those using proxy cache configurations, face increased risk of supply chain attacks and insider threats. The vulnerability could facilitate lateral movement within networks if attackers leverage compromised images to escalate privileges or access other systems. Given the widespread adoption of container technologies globally, the impact can be significant across industries including finance, healthcare, technology, and critical infrastructure sectors.

To mitigate CVE-2025-4374, organizations should implement the following specific measures: 1) Immediately review and restrict the use of proxy cache functionality in Project Quay, disabling it if not essential. 2) Monitor repository creation events and audit access logs to detect unauthorized repository creation or privilege escalations. 3) Apply strict access control policies limiting who can create or modify repositories, leveraging role-based access control (RBAC) features. 4) Isolate Quay instances within secure network segments and enforce network-level restrictions to limit exposure to untrusted users or automated robots. 5) Implement image signing and verification processes to detect unauthorized image modifications. 6) Stay informed on vendor advisories and apply patches or updates as soon as they become available. 7) Conduct regular security assessments and penetration testing focused on container registry configurations. 8) Educate DevOps and security teams about this vulnerability to ensure rapid detection and response. These steps go beyond generic advice by focusing on proxy cache usage, monitoring repository creation, and enforcing strict RBAC controls tailored to this specific flaw.