Skip to main content

oras-go CVE-2026-50162

MEDIUM
External Control of File Name or Path (CWE-73)
2026-07-01 https://github.com/oras-project/oras-go GHSA-8xwf-rjm4-xvhv
Share

Severity by source

vuln.today AI
6.9 MEDIUM

Network delivery of malicious OCI artifact (AV:N); symlink prerequisite in workingDir raises complexity (AC:H); no victim-system privileges needed (PR:N); victim must pull artifact (UI:R); write escapes workingDir boundary into broader filesystem (S:C); no read impact (C:N); arbitrary file write is high integrity (I:H); incidental overwrite risk (A:L).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 22:21 vuln.today

DescriptionCVE.org

The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title (via ocispec.AnnotationTitle) targets a path under that symlink, pushFile() can create a file outside workingDir.

relevant links

  • repository: https://github.com/oras-project/oras-go
  • commit: 03243809936cce826494b5506f724c6dc11115b1
  • callsite: content/file/file.go:609 resolveWritePath() (used by pushFile())

vulnerability details

pins: oras-project/oras-go@03243809936cce826494b5506f724c6dc11115b1

as-of: 2026-02-17

policy: GitHub Security Advisory (oras-project/oras-go)

callsite: content/file/file.go:609 resolveWritePath()pushFile()

attacker control: Attacker controls the pushed name (ocispec.AnnotationTitle) and can select a path with a symlink path component under workingDirresolveWritePath() blocks .. via filepath.Rel but does not prevent symlink traversal → pushFile() opens/creates the final path and follows the symlink → a file is created outside workingDir

root cause

resolveWritePath() enforces the write boundary using a filepath.Rel-style check against workingDir. This prevents ../ escapes but is purely lexical and does not resolve symlinks. If a path component under workingDir is a symlink to an external location, the subsequent filesystem operation in pushFile() follows that symlink and performs the write outside workingDir while still passing the lexical boundary check.

attack path

  1. Attacker provides a blob title (via ocispec.AnnotationTitle) that contains a path like out/pwn.txt.
  2. Victim uses oras-go file store with AllowPathTraversalOnWrite=false and a workingDir that contains a symlink directory out -> /some/outside/dir.
  3. The lexical boundary check accepts out/pwn.txt as being under workingDir.
  4. The write follows the symlink and creates /some/outside/dir/pwn.txt.

impact

This is a filesystem boundary bypass that permits writes outside workingDir when a symlink path component exists under workingDir. The concrete security impact depends on the runtime environment (what filesystem locations are writable by the process and what downstream consumers do with the written file), but the intended confinement guarantee is violated.

proof of concept

the attached poc.zip contains a small, self-contained go harness that demonstrates:

  • canonical (vulnerable): prints [CALLSITE_HIT] and [PROOF_MARKER] and shows the file is created outside workingDir
  • control (no symlink component): prints [NC_MARKER] and confirms no outside write occurs

run:

bash
unzip -q -o poc.zip -d /tmp
cd /tmp/poc-F-ORAS-SYMLINK-WRITE-001
make test

expected: when AllowPathTraversalOnWrite=false, file store writes should not be able to escape workingDir, including via symlink traversal.

actual: A symlink path component under workingDir allows writes to escape workingDir even when AllowPathTraversalOnWrite=false.

recommended fix

ensure confinement checks account for symlink traversal. Options include rejecting symlinks in any path component (walk components with os.Lstat), validating the resolved parent directory via EvalSymlinks and enforcing it remains under the resolved workingDir, or using an openat()-style approach so the check and open happen relative to a trusted directory file descriptor.

fix accepted when: The canonical PoC no longer prints [PROOF_MARKER] for the same attacker-controlled inputs.

cheers, Oleh

AnalysisAI

Symlink traversal in oras-go's file content store allows writes outside the intended workingDir boundary even when AllowPathTraversalOnWrite=false. Applications that pull OCI artifacts from untrusted registries where an attacker controls blob titles (ocispec.AnnotationTitle) are at risk if any directory component under workingDir is a symlink pointing to an external path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Push malicious OCI artifact with crafted AnnotationTitle to accessible registry
Delivery
Victim pulls artifact into oras-go file store
Exploit
`resolveWritePath()` passes lexical `filepath.Rel` check on symlink path component
Execution
`pushFile()` opens path and OS follows symlink to external directory
Impact
File created outside `workingDir` in attacker-chosen location

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions to be true simultaneously: (1) the application uses the oras-go file content store with `AllowPathTraversalOnWrite=false` explicitly set - this is the mode intended to enforce `workingDir` confinement and is the targeted security control; (2) one or more directory components under `workingDir` are symbolic links pointing to a location outside `workingDir` (e.g., `workingDir/out -> /some/outside/dir`); and (3) the attacker can influence the value of `ocispec.AnnotationTitle` on a blob being pulled into the file store, typically by controlling or compromising the OCI registry source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No vendor CVSS vector was published alongside GHSA-8xwf-rjm4-xvhv, and no EPSS score is available, so quantitative risk comparison across signals is limited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker pushes a malicious OCI artifact to a shared or attacker-controlled registry with a blob whose `ocispec.AnnotationTitle` is set to `out/backdoor.sh`. A CI/CD pipeline running oras-go pulls the artifact into a `workingDir` that contains a symlink `out -> /usr/local/bin` (introduced, for example, by a prior build step or misconfiguration). …
Remediation The upstream fix is available at commit cc323e564d90c6b5b4bdd71d3c8d2ee2713b37e5 (https://github.com/oras-project/oras-go/commit/cc323e564d90c6b5b4bdd71d3c8d2ee2713b37e5); consumers should update their `go.mod` to a tagged release that includes this commit - verify inclusion via `git log` against the fix SHA, as a specific released version number is not confirmed in the available advisory data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-50162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy