CVE-2024-39897

4.30.36%

Zot's Dedupe Deception: How a Cache Feature Became an Authorization Bypass

Alon Barad

Software Engineer

Jan 3, 2026·9 min read·1 visit

PoC Available

Executive Summary (TL;DR)

Zot's deduplication feature, enabled by default, allowed authenticated users to steal container image layers from private repositories. By requesting a known blob digest in a repository they *did* have access to, they could trick Zot into copying the restricted blob from a global cache, bypassing all access control policies.

Zot, an OCI image registry, contains a critical authorization bypass vulnerability in its blob deduplication feature. Prior to version 2.1.0, an authenticated attacker with access to a single repository could read any blob from any other repository on the same instance, provided they knew the blob's digest. The flaw stemmed from the global cache, which would happily serve up blobs without verifying if the user was authorized to access the blob's original source repository, effectively turning a storage optimization feature into a data exfiltration vector.

Fix Analysis (1)

Technical Appendix

CVSS Score

4.3/ 10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.36%

Top 99% most exploited

Affected Systems

Zot OCI Image Registry

Affected Versions Detail

Product	Affected Versions	Fixed Version
zot project-zot	< 2.1.0	2.1.0

Attribute	Detail
CWE ID	CWE-639
CWE Name	Authorization Bypass Through User-Controlled Key
Attack Vector	Network
Privileges Required	Low (Authenticated User)
CVSS 3.1 Score	4.3 (Medium)
Impact	Low Confidentiality (Information Disclosure)
Exploit Status	Proof-of-Concept
KEV Status	Not Listed

MITRE ATT&CK Mapping

T1078Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

T1213Data from Information Repositories

Collection

CWE-639

Authorization Bypass Through User-Controlled Key

The software uses a user-controlled key or index to access, modify, or retrieve a resource, but it does not sufficiently validate the key, allowing an attacker to access unauthorized resources.

Vulnerability Timeline

Fix was committed to the main branch.

2024-07-08

CVE-2024-39897 was published by NVD.

2024-07-09

GitHub Security Advisory GHSA-55r9-5mx9-qq7r published.

2024-07-09

Zot version 2.1.0, containing the fix, was released.

2024-07-09

CVE-2024-39897

4.30.36%

Zot's Dedupe Deception: How a Cache Feature Became an Authorization Bypass

Alon Barad

Software Engineer

Jan 3, 2026·9 min read·1 visit

PoC Available

Executive Summary (TL;DR)

Attack Flow Diagram

Fix Analysis (1)

Technical Appendix

CVSS Score

4.3/ 10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.36%

Top 99% most exploited

Affected Systems

Zot OCI Image Registry

Affected Versions Detail

Product	Affected Versions	Fixed Version
zot project-zot	< 2.1.0	2.1.0

Attribute	Detail
CWE ID	CWE-639
CWE Name	Authorization Bypass Through User-Controlled Key
Attack Vector	Network
Privileges Required	Low (Authenticated User)
CVSS 3.1 Score	4.3 (Medium)
Impact	Low Confidentiality (Information Disclosure)
Exploit Status	Proof-of-Concept
KEV Status	Not Listed

MITRE ATT&CK Mapping

T1078Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

T1213Data from Information Repositories

Collection

CWE-639

Authorization Bypass Through User-Controlled Key

The software uses a user-controlled key or index to access, modify, or retrieve a resource, but it does not sufficiently validate the key, allowing an attacker to access unauthorized resources.

Vulnerability Timeline

Fix was committed to the main branch.

2024-07-08

CVE-2024-39897 was published by NVD.

2024-07-09

GitHub Security Advisory GHSA-55r9-5mx9-qq7r published.

2024-07-09

Zot version 2.1.0, containing the fix, was released.

2024-07-09