PT-2026-54777 · Oras-Go · Oras-Go
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-50163
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
oras-go (affected versions not specified)
Description
A path traversal issue exists in the tar-extraction helper
ensureLinkPath() function within the content/file/utils.go file. The function validates that a hardlink target resolves inside the extraction base but returns the original unresolved target string to the caller. When the caller uses os.Link() to create a hardlink, relative paths are resolved against the process's current working directory (CWD) instead of the intended extraction directory.An attacker controlling an OCI-compliant registry can craft a malicious tarball containing a hardlink entry with a relative
Linkname variable. When a victim pulls this artifact using oras pull or any Go program utilizing oras-go/v2/content/file, a hardlink is created inside the extraction tree that points to an arbitrary file in the invoker's CWD. This allows the attacker to read sensitive files (such as .env files or credentials) or modify them via inode-sharing tampering.If the process is running as root, this can be used to access any file on the host filesystem, including
/etc/shadow. On Linux systems with fs.protected hardlinks enabled, the attacker is limited to files the user owns or has write access to within the CWD.Recommendations
Modify the
ensureLinkPath() function to return both the verbatim target for symlinks and the resolved absolute path for hardlinks, ensuring that the TypeLink case uses the resolved absolute path when calling os.Link().Fix
Link Following
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Oras-Go