What the vulnerability does
01Description
regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.
CVE-2025-24882
MEDIUM
CVE-2025-24882: regclient may ignore pinned manifest digests
CVSS base score
5.2/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N
Key dates
02Disclosure timeline
January 29, 2025
CVE published
January 29, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2024-28028
CVE-2023-42661 JFrog Artifactory Improper input validation leads to arbitrary file write
CVE-2024-42175 HCL MyXalytics is affected by a weak input validation vulnerability
CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2026-22046 iccDEV has heap-buffer-overflow in CIccProfileXml::ParseBasic() at IccXML/IccLibXML/IccProfileXml.cpp
