PT-2026-54776 · Oras-Go · Oras-Go
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-50151
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
oras-go versions prior to 2.6.0
Description
During the monolithic blob upload flow, the software follows a registry-controlled
Location header and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, the caller's credentials can be sent to an attacker-controlled endpoint. This issue occurs within the blobStore.completePushAfterInitialPost() function located in registry/remote/repository.go. This can lead to a credential leak and client-side Server-Side Request Forgery (SSRF), where the server is tricked into making requests to an unintended destination.Recommendations
Update oras-go to a version later than 2.6.0.
Validate the
Location header (including scheme, hostname, and effective port) against the original request before uploading.
Implement an explicit opt-in allowlist for cross-host upload URLs.
Ensure the Authorization header is never forwarded when the upload target changes host or scheme.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oras-Go