PT-2026-54777 · Oras-Go · Oras-Go

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-50163

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions oras-go (affected versions not specified)
Description A path traversal issue exists in the tar-extraction helper ensureLinkPath() function within the content/file/utils.go file. The function validates that a hardlink target resolves inside the extraction base but returns the original unresolved target string to the caller. When the caller uses os.Link() to create a hardlink, relative paths are resolved against the process's current working directory (CWD) instead of the intended extraction directory.
An attacker controlling an OCI-compliant registry can craft a malicious tarball containing a hardlink entry with a relative Linkname variable. When a victim pulls this artifact using oras pull or any Go program utilizing oras-go/v2/content/file, a hardlink is created inside the extraction tree that points to an arbitrary file in the invoker's CWD. This allows the attacker to read sensitive files (such as .env files or credentials) or modify them via inode-sharing tampering.
If the process is running as root, this can be used to access any file on the host filesystem, including /etc/shadow. On Linux systems with fs.protected hardlinks enabled, the attacker is limited to files the user owns or has write access to within the CWD.
Recommendations Modify the ensureLinkPath() function to return both the verbatim target for symlinks and the resolved absolute path for hardlinks, ensuring that the TypeLink case uses the resolved absolute path when calling os.Link().

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50163
GHSA-FXHP-MV3V-67QP

Affected Products

Oras-Go