CVE-2025-48374 is a medium-severity vulnerability classified under CWE-532, which involves the insertion of sensitive information into log files. The affected product is 'zot,' a container image and artifact registry compliant with the Open Container Initiative Distribution Specification. The vulnerability specifically impacts versions prior to 1.4.4-0.20250522160828-8a99a3ed231f (also referenced as version 2.1.3). When zot is configured to use Keycloak as an OpenID Connect (OIDC) provider for authentication, the client secret—a sensitive credential used to authenticate the client application to Keycloak—is inadvertently printed to the container's standard output logs during container startup. This exposure occurs without requiring any authentication or user interaction, and the logs are typically accessible to anyone with access to the container runtime environment or log aggregation systems. The CVSS 4.0 vector indicates that the attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality (VC:H), but no impact on integrity or availability. This means that an attacker with local access to the container environment can retrieve the client secret from logs, potentially enabling unauthorized access to the OIDC provider or other services relying on this secret. The vulnerability was addressed in version 1.4.4-0.20250522160828-8a99a3ed231f (2.1.3) by removing the logging of the client secret. No known exploits are currently reported in the wild. This issue highlights the risk of sensitive credential leakage through improper logging practices, which can lead to credential compromise and subsequent unauthorized access to authentication services.

For European organizations deploying zot as part of their container infrastructure, this vulnerability poses a risk of credential leakage that could undermine the security of their authentication mechanisms. If an attacker gains access to the client secret, they could impersonate the container registry client to the Keycloak OIDC provider, potentially accessing protected resources or escalating privileges within the identity management system. This could lead to unauthorized access to container images, artifacts, or other internal services integrated with Keycloak. The impact is particularly significant for organizations with stringent compliance requirements such as GDPR, where unauthorized disclosure of credentials could result in regulatory penalties. Additionally, organizations relying on containerized environments for critical applications may face increased risk of lateral movement or supply chain compromise if attackers leverage the leaked secrets. However, the attack requires local access to the container environment or logs, which somewhat limits the attack surface to insiders or attackers who have already breached perimeter defenses. The absence of known exploits in the wild suggests that the threat is currently low but should be addressed promptly to prevent future exploitation.

European organizations should upgrade zot to version 1.4.4-0.20250522160828-8a99a3ed231f (2.1.3) or later to eliminate the logging of sensitive client secrets. In addition to patching, organizations should audit their container logging configurations to ensure that sensitive information is not inadvertently logged. This includes reviewing startup scripts, environment variables, and any custom logging mechanisms. Implement strict access controls on container logs and runtime environments to restrict who can view logs containing potentially sensitive information. Employ secrets management solutions to inject credentials securely at runtime without exposing them in logs or environment variables. Regularly rotate client secrets and other credentials used in authentication to limit the window of exposure if leakage occurs. Finally, monitor logs and container environments for unusual access patterns that could indicate attempts to exploit leaked credentials.