Update module oras.land/oras-go/v2 to v2.6.1 [SECURITY] (main)#3378
Open
renovate[bot] wants to merge 1 commit into
Open
Update module oras.land/oras-go/v2 to v2.6.1 [SECURITY] (main)#3378renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
🤖 Finished Review · ✅ Success · Started 6:15 AM UTC · Completed 6:19 AM UTC |
|
Looks good to me Labels: PR is a Go dependency security update via Renovate |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.6.0→v2.6.1Warning
Some dependencies could not be looked up. Check the warning logs for more information.
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
CVE-2026-48978 / GHSA-xf85-363p-868w
More information
Details
Summary
oras-go's
auth.Clientfollows therealmURL from a registry'sWWW-Authenticate: Bearerchallenge without validating its scheme or host. Therealmfield is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint (e.g. Docker Hub'sregistry-1.docker.io->auth.docker.io), so cross-host realms on public DNS names are not in themselves a vulnerability. Two specific patterns, however, are never legitimate under any registry trust model and can be abused by a malicious or compromised registry (or a man-in-the-middle on a plaintext connection):SSRF to internal networks. A realm of
http://169.254.169.254/...(AWS/Azure IMDS),http://10.0.0.x/...(RFC 1918), orhttp://127.0.0.1/...causes oras-go running on a cloud VM or corporate workstation to issue outbound HTTP requests from inside the user's trust boundary to an endpoint the user did not choose. The user's stored credentials are attached to those requests, but the principal harm is the network primitive — probing internal endpoints from the client. On IMDSv1 the response body is recoverable from log channels; on IMDSv2 the probe itself can still be used for service discovery.TLS downgrade. A registry contacted over
https://can return a realm with anhttp://scheme, causing oras-go to send the user's credentials over plaintext to the token endpoint. This defeats the transport security the user chose when typinghttps://.What is NOT claimed
This advisory does not claim that credential forwarding to an arbitrary public attacker host through a server-controlled realm is, on its own, a vulnerability. The distribution spec defines
realmas a server-controlled field; a strict same-host or same-eTLD+1 enforcement would deviate from the spec and break legitimate split-host deployments. Operators who want defense-in-depth against cross-host realm forwarding can use the opt-inClient.TrustedRealmHostsallowlist (added separately).Affected versions
oras.land/oras-go/v2 <= v2.6.0Severity
Medium. Network attack vector, low complexity, no privileges required, user interaction required (victim runs an oras command against the malicious or MITM'd registry), unchanged scope. Confidentiality impact is limited — IMDS probe responses can disclose information, and TLS downgrade exposes the realm request to passive observers — but the attacker does not obtain credentials beyond what the malicious endpoint already controls.
Affected code
registry/remote/auth/client.go—Client.Do()(bearer challenge handling)registry/remote/auth/client.go—Client.fetchBearerToken()/fetchDistributionToken/fetchOAuth2TokenThe
realmparameter fromparseChallengeis threaded through tohttp.NewRequestWithContextwithout scheme or host validation.CWE
Patch
registry/remote/auth/client.gonow rejects realm URLs that:httporhttpshttpwhen the registry was contacted overhttps(TLS downgrade)Cross-host realms on public DNS names continue to be accepted.
Credit
Reported by bugbunny.ai.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
CVE-2026-50151 / GHSA-jxpm-75mh-9fp7
More information
Details
Summary
oras-go follows a registry-controlled
Locationheader during the monolithic blob upload flow and reuses theAuthorizationheader from the initialPOSTrequest for the subsequentPUTrequest. If a malicious registry returns a cross-hostLocation, oras-go can send the caller's credentials to an attacker-controlled endpoint.Affected Versions
tested: v2.6.0 (commit 03243809936cce826494b5506f724c6dc11115b1, as-of 2026-01-24)
range: unknown; likely affects earlier v2.x releases that include the same upload flow
Impact
Credential leak to an attacker-controlled endpoint and client-side ssrf to a cross-host target.
Affected Component
registry/remote/repository.go:878-916(blobStore.completePushAfterInitialPost)Reproduction
Attachments include
poc.zipwith a local-only harness (no real registry required). It runs a fake registry server that returns a cross-hostLocationand a second server that records whether it receivedAuthorization.unzip -q -o poc.zip -d /tmp/poc cd /tmp/poc/poc-F-ORAS-LOCATION-UPLOAD-001 make canonical make controlRecommended Fix
Locationbefore uploading (scheme + hostname + effective port) against the original request, or require an explicit opt-in allowlist for cross-host upload urlsAuthorizationwhen the upload target changes host or schemereferences
registry/remote/repository.go(seeblobStore.completePushAfterInitialPost)Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
oras-go has file store write outside workingDir via symlink traversal
CVE-2026-50162 / GHSA-8xwf-rjm4-xvhv
More information
Details
The file content store in
oras-goattempts to confine writes toworkingDirwhenAllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. IfworkingDircontains a symlink path component and an attacker-controlled blob title (viaocispec.AnnotationTitle) targets a path under that symlink,pushFile()can create a file outsideworkingDir.relevant links
resolveWritePath()(used bypushFile())vulnerability details
pins: oras-project/oras-go@0324380
as-of: 2026-02-17
policy: GitHub Security Advisory (oras-project/oras-go)
callsite: content/file/file.go:609
resolveWritePath()→pushFile()attacker control: Attacker controls the pushed name (
ocispec.AnnotationTitle) and can select a path with a symlink path component underworkingDir→resolveWritePath()blocks..viafilepath.Relbut does not prevent symlink traversal →pushFile()opens/creates the final path and follows the symlink → a file is created outsideworkingDirroot cause
resolveWritePath()enforces the write boundary using afilepath.Rel-style check againstworkingDir. This prevents../escapes but is purely lexical and does not resolve symlinks. If a path component underworkingDiris a symlink to an external location, the subsequent filesystem operation inpushFile()follows that symlink and performs the write outsideworkingDirwhile still passing the lexical boundary check.attack path
ocispec.AnnotationTitle) that contains a path likeout/pwn.txt.oras-gofile store withAllowPathTraversalOnWrite=falseand aworkingDirthat contains a symlink directoryout -> /some/outside/dir.out/pwn.txtas being underworkingDir./some/outside/dir/pwn.txt.impact
This is a filesystem boundary bypass that permits writes outside
workingDirwhen a symlink path component exists underworkingDir. The concrete security impact depends on the runtime environment (what filesystem locations are writable by the process and what downstream consumers do with the written file), but the intended confinement guarantee is violated.proof of concept
the attached
poc.zipcontains a small, self-contained go harness that demonstrates:[CALLSITE_HIT]and[PROOF_MARKER]and shows the file is created outsideworkingDir[NC_MARKER]and confirms no outside write occursrun:
expected: when
AllowPathTraversalOnWrite=false, file store writes should not be able to escapeworkingDir, including via symlink traversal.actual: A symlink path component under
workingDirallows writes to escapeworkingDireven whenAllowPathTraversalOnWrite=false.recommended fix
ensure confinement checks account for symlink traversal. Options include rejecting symlinks in any path component (walk components with
os.Lstat), validating the resolved parent directory viaEvalSymlinksand enforcing it remains under the resolvedworkingDir, or using anopenat()-style approach so the check and open happen relative to a trusted directory file descriptor.fix accepted when: The canonical PoC no longer prints
[PROOF_MARKER]for the same attacker-controlled inputs.cheers,
Oleh
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ORAS Go forwards registry credentials across registry redirects
GHSA-vh4v-2xq2-g5cg
More information
Details
ORAS Go forwards registry credentials across registry redirects
Reporter / public credit: JUNYI LIU
Summary
ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects.
There are two related paths:
Authorizationheader to the redirect target.POSTauthenticates to the origin registry, then the origin returns an uploadLocationon another host or port. The follow-upPUTcan carry the originAuthorizationheader to theLocationtarget.The upload
Locationissue appears related to the existing public fix in pull request #1152 / GHSA-jxpm-75mh-9fp7. The manifest redirect path is a residual adjacent route: the v2 branch after the uploadLocationfix still forwards Basic credentials on an authenticated manifest redirect.Impact
A registry response can cause an ORAS Go or ORAS CLI client to send configured registry credentials to an unintended endpoint. In common workflows, those credentials may come from a registry config / Docker-style auth file rather than command-line flags.
This is a credential exposure across the registry-origin boundary. I am not claiming remote code execution, registry compromise, arbitrary token theft, or live third-party impact.
Affected Versions Tested
oras-go v2.6.0: affected.oras-gomain at commita57383e580c8f2c97fb67dedfc5c9945c8c3614e: affected.oras-gov2 branch at commitd593d504779be8b69f0ba034ac9fd407d1fc8cfc: uploadLocationpath is blocked, but manifest redirect credential forwarding is still affected.3d2646279c70ba60415440e44c2ff97896e4a209, usingoras-go v2.6.0: affected when using--registry-config.Security Invariant
Credentials resolved for one registry origin should not be silently forwarded to a different origin reached through a registry redirect or upload
Locationresponse.Local Reproduction Overview
All testing used loopback servers and fake credentials only.
Manifest redirect flow:
401with a Basic challenge.307to another port on the same hostname.Authorizationheader.ORAS CLI stored-credential flow:
Authorizationheader.Blob upload
Locationflow:POSTto the origin registry.POST.LocationURL on another port.PUTto theLocationtarget carries the originAuthorizationheader.Expected Result
Redirect and upload
Locationtargets on a different HTTP origin should not receive the originAuthorizationheader.Observed Result
In affected versions, redirect or
Locationsinks received:Authorization: Basic <base64 origin_user:origin_pass>Standalone Reproducer
Candidate Fix
The candidate fix does two things:
Authorizationis removed when a redirect changes HTTP origin, while preserving any caller-providedCheckRedirectcallback.POSTAuthorizationheader when the uploadLocationremains on the same HTTP origin.The patch also adds regression coverage for both redirect cases:
Validation Performed
The repaired candidate fix blocked:
Locationcredential forwarding.Targeted tests passed:
Prior Art / Duplicate Notes
Public pull request #1152 fixes credential forwarding via unvalidated blob upload
Locationand references GHSA-jxpm-75mh-9fp7. The residual manifest redirect path described here is adjacent but not covered by that PR's stated uploadLocationscope.Bearer realm credential exfiltration appears to be a separate issue family and is not part of this report's primary claim.
Claim Boundaries
Proven:
Locationorigin in local loopback tests.Locationcredential exposures.Not claimed:
Locationorigin transitions.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.