Impact
A flaw in the oras-go Go library allows an attacker to craft a tarball containing a malicious hardlink. When the tarball is extracted, the hardlink can be redirected to a file outside the intended extraction directory, specifically on the victim’s current working directory. This results in the reading of sensitive data, and if the extraction process runs with elevated privileges, the attacker could gain unauthorized access to critical system files. The flaw is a classic path‑traversal vulnerability (CWE‑22).
Affected Systems
The vulnerability affects any deployment that employs the oras‑go library for handling OCI artifacts. Version information is not provided, so any instance of oras‑go that processes tarballs may be vulnerable. Users should review the vendor’s advisory and upgrade to a fixed release as soon as it becomes available.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity, and the ATD is not reflected in a KEV listing. Because the exploit requires an opportunity to supply a crafted tarball, the attack vector is likely local or remote, depending on whether the application using oras‑go is exposed to untrusted input. Failure to apply the patch could allow an attacker to read arbitrary files on the host, potentially escalating privileges if the process runs with elevated rights.
OpenCVE Enrichment
Github GHSA