Impact
The flaw in oras-go’s auth.Client permits an attacker to manipulate the realm URL in a registry’s WWW‑Authenticate: Bearer challenge. By providing a malicious or spoofed realm, an external registry or a man‑in‑the‑middle can cause the client to make internal network requests, resulting in server‑side request forgery (SSRF). The same vulnerability can downgrade the TLS connection, allowing credentials to be transmitted in plain text.
Affected Systems
The issue impacts the oras-go client distributed by the ORAS project. No specific affected versions are listed in the advisory, so any installation that has not yet been updated to a patched release is potentially vulnerable.
Risk and Exploitability
The CVSS score of 3.1 indicates low overall severity, and the vulnerability is not present in the CISA KEV catalog. With EPSS not available, the public knowledge of exploitation is limited, yet the attack path—requiring a malicious registry or MITM—makes this a realistic threat for organizations that pull from external registries or operate exposed services.
OpenCVE Enrichment
Github GHSA