Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.
AnalysisAI
OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentication and account creation, enabling unauthenticated remote attackers to enumerate registered users. CVSS score of 5.3 reflects the low confidentiality impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-209 (Information Exposure Through an Error Message), a class of flaw where disparate error responses reveal sensitive information. OpenShift Mirror Registry, a Red Hat container image registry component, fails to implement uniform error handling across authentication and account creation endpoints. An attacker can send requests to login and registration endpoints, analyzing response codes, messages, or timing differences to determine whether an email address or username exists in the system. This information disclosure attack requires no authentication (PR:N per CVSS vector) and no special user interaction, making it a low-complexity enumeration vector.
RemediationAI
Apply the patch released by Red Hat for Mirror Registry. Consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-14243 and Bugzilla ticket 2419829 for the specific patched version applicable to your deployment. In interim periods, implement rate limiting and monitoring on authentication and account creation endpoints to detect enumeration attempts, and consider network-level access controls restricting these endpoints to trusted networks if operational context permits. Upgrade to the patched version as soon as testing and deployment windows allow.
Authenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deser
Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concur
Server-side request forgery (SSRF) in Red Hat Mirror Registry and Red Hat Quay 3.x allows authenticated users to conduct
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization adminis
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209308
GHSA-v9gq-365f-qxxw