Threat Advisory

oras-go Vulnerability allows SSRF via Location header

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50151 with a CVSS score of 7.5 is a server-side request forgery (SSRF) vulnerability affecting the oras-go framework versions prior to 2.6.1. This issue arises because the library fails to validate the `Location` header returned by a registry during the monolithic blob upload process, automatically reusing the `Authorization` header from the initial request for the subsequent operation. An attacker can exploit this flaw by controlling a registry or manipulating its response to provide a cross-host `Location` URL, which triggers the client to forward the original request and its associated credentials to an attacker-controlled endpoint. Successful exploitation allows the attacker to intercept sensitive authentication tokens, effectively achieving credential leakage and client-side SSRF. The business impact is significant as compromised credentials could allow unauthorized access to internal systems or third-party services, leading to potential data breaches or further lateral movement. Exploitation requires that a user or service attempts to upload a blob to a malicious or compromised registry that returns a manipulated `Location` header.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50151 with a CVSS score of 7.5 is a server-side request forgery (SSRF) vulnerability affecting the oras-go framework versions prior to 2.6.1. This issue arises because the library fails to validate the `Location` header returned by a registry during the monolithic blob upload process, automatically reusing the `Authorization` header from the initial request for the subsequent operation. An attacker can exploit this flaw by controlling a registry or manipulating its response to provide a cross-host `Location` URL, which triggers the client to forward the original request and its associated credentials to an attacker-controlled endpoint. Successful exploitation allows the attacker to intercept sensitive authentication tokens, effectively achieving credential leakage and client-side SSRF. The business impact is significant as compromised credentials could allow unauthorized access to internal systems or third-party services, leading to potential data breaches or further lateral movement. Exploitation requires that a user or service attempts to upload a blob to a malicious or compromised registry that returns a manipulated `Location` header.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update oras-go to version 2.6.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-jxpm-75mh-9fp7

[/emaillocker]
crossmenu