PT-2026-55208 · Oras-Go · Oras-Go
Published
2026-07-01
·
Updated
2026-07-06
·
CVE-2026-48978
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
oras.land/oras-go/v2 versions prior to v2.6.1
Description
The
auth.Client in oras-go follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. This can be abused by a malicious or compromised registry, or via a man-in-the-middle attack on plaintext connections, to perform the following:- Server-Side Request Forgery (SSRF): By providing a
realmpointing to internal networks (such as AWS/Azure IMDS, RFC 1918, or loopback addresses), an attacker can force the client to issue outbound HTTP requests to internal endpoints. This can be used for service discovery or probing internal networks from within the user's trust boundary. - TLS Downgrade: A registry contacted via
https://can return arealmusing thehttp://scheme, causing the client to send credentials over plaintext to the token endpoint, bypassing the intended transport security.
The issue occurs in
registry/remote/auth/client.go within the Client.Do(), Client.fetchBearerToken(), fetchDistributionToken(), and fetchOAuth2Token() functions, where the realm parameter from parseChallenge is passed to http.NewRequestWithContext without validation.Recommendations
Update oras.land/oras-go/v2 to version v2.6.1 or later.
As a temporary mitigation, use the
Client.TrustedRealmHosts allowlist to restrict realm forwarding to trusted hosts.Fix
Cleartext Transmission of Sensitive Information
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Oras-Go