A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-jxpm-75mh-9fp7 | oras-go blob upload vulnerable to credential forwarding via unvalidated Location header |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in oras-go. During the monolithic blob upload process, oras-go reuses the Authorization header for subsequent requests, even if a malicious registry provides a cross-host Location header. This vulnerability allows an attacker-controlled endpoint to receive the caller's credentials, leading to information disclosure. Additionally, it can enable client-side Server-Side Request Forgery (SSRF) to a cross-host target. | |
| Title | oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload | |
| Weaknesses | CWE-522 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Projects
Sign in to view the affected projects.
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA