CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27403: Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries

7.2 CVSS

Description

Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted by a vulnerability that exists in versions prior to 1.2.3 and 1.3.2. Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify’s Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry. As of versions 1.2.3 and 1.3.2, the Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard support included) matches the registry domain of th...

Classification

CVE ID: CVE-2025-27403

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L

Problem Types

CWE-287: Improper Authentication

Affected Products

Vendor: ratify-project

Product: ratify

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.19% (probability of being exploited)

EPSS Percentile: 37.33% (scored less or equal to compared to others)

EPSS Date: 2025-04-09 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27403
https://github.com/ratify-project/ratify/security/advisories/GHSA-44f7-5fj5-h4px
https://github.com/ratify-project/ratify/commit/0ec0c08490e3d672ae64b1a220c90d5484f1c93f
https://github.com/ratify-project/ratify/commit/84c7c48fa76bb9a1c9583635d1e90bc25b1a546c

Timeline