CVE-2025-4374

Summary

A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository.

Affected Software

VendorProductVersion RangeStatus
Project Quayquay0 < 3.11.11affected
Project Quayquay2.14.0 < 3.14.2affected
Project Quayquay3.12.0 < 3.12.10affected

Weaknesses

  • CWE-266: Incorrect Privilege Assignment

Workarounds

Permissions can be updated after creation but there's no preventative measure before hand.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References