Impact
A flaw in oras-go causes the client to forward the Authorization header it received during a blob upload to any host specified in a cross-host Location header returned by the server. The vulnerability, identified as CWE‑522, allows an attacker‑controlled registry to capture the caller’s credentials, resulting in information disclosure. In addition, because the client follows the redirected URI, the flaw can be leveraged to perform client‑side Server‑Side Request Forgery (SSRF) against internal or external targets.
Affected Systems
The issue affects the oras-go library, which is commonly used in OCI‑compatible image registry interactions. No specific vendor or version strings are provided, so all releases that include the monolithic blob upload routine are potentially impacted until a fix is released.
Risk and Exploitability
The CVSS score for this vulnerability is 5.9, indicating medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires an attacker to control a registry endpoint that issues a cross‑host Location header during a blob upload, and the client must be configured to accept the redirect. In environments where clients trust arbitrary registries and do not validate redirect origins, the exploit is likely to succeed.
OpenCVE Enrichment
Github GHSA