chore(deps): update module oras.land/oras-go/v2 to v2.6.1 [security] (release-2.4)#180
Open
crossplane-renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.6.0→v2.6.1oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
CVE-2026-48978 / GHSA-xf85-363p-868w
More information
Details
Summary
oras-go's
auth.Clientfollows therealmURL from a registry'sWWW-Authenticate: Bearerchallenge without validating its scheme or host. Therealmfield is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint (e.g. Docker Hub'sregistry-1.docker.io->auth.docker.io), so cross-host realms on public DNS names are not in themselves a vulnerability. Two specific patterns, however, are never legitimate under any registry trust model and can be abused by a malicious or compromised registry (or a man-in-the-middle on a plaintext connection):SSRF to internal networks. A realm of
http://169.254.169.254/...(AWS/Azure IMDS),http://10.0.0.x/...(RFC 1918), orhttp://127.0.0.1/...causes oras-go running on a cloud VM or corporate workstation to issue outbound HTTP requests from inside the user's trust boundary to an endpoint the user did not choose. The user's stored credentials are attached to those requests, but the principal harm is the network primitive — probing internal endpoints from the client. On IMDSv1 the response body is recoverable from log channels; on IMDSv2 the probe itself can still be used for service discovery.TLS downgrade. A registry contacted over
https://can return a realm with anhttp://scheme, causing oras-go to send the user's credentials over plaintext to the token endpoint. This defeats the transport security the user chose when typinghttps://.What is NOT claimed
This advisory does not claim that credential forwarding to an arbitrary public attacker host through a server-controlled realm is, on its own, a vulnerability. The distribution spec defines
realmas a server-controlled field; a strict same-host or same-eTLD+1 enforcement would deviate from the spec and break legitimate split-host deployments. Operators who want defense-in-depth against cross-host realm forwarding can use the opt-inClient.TrustedRealmHostsallowlist (added separately).Affected versions
oras.land/oras-go/v2 <= v2.6.0Severity
Medium. Network attack vector, low complexity, no privileges required, user interaction required (victim runs an oras command against the malicious or MITM'd registry), unchanged scope. Confidentiality impact is limited — IMDS probe responses can disclose information, and TLS downgrade exposes the realm request to passive observers — but the attacker does not obtain credentials beyond what the malicious endpoint already controls.
Affected code
registry/remote/auth/client.go—Client.Do()(bearer challenge handling)registry/remote/auth/client.go—Client.fetchBearerToken()/fetchDistributionToken/fetchOAuth2TokenThe
realmparameter fromparseChallengeis threaded through tohttp.NewRequestWithContextwithout scheme or host validation.CWE
Patch
registry/remote/auth/client.gonow rejects realm URLs that:httporhttpshttpwhen the registry was contacted overhttps(TLS downgrade)Cross-host realms on public DNS names continue to be accepted.
Credit
Reported by bugbunny.ai.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
CVE-2026-50151 / GHSA-jxpm-75mh-9fp7
More information
Details
Summary
oras-go follows a registry-controlled
Locationheader during the monolithic blob upload flow and reuses theAuthorizationheader from the initialPOSTrequest for the subsequentPUTrequest. If a malicious registry returns a cross-hostLocation, oras-go can send the caller's credentials to an attacker-controlled endpoint.Affected Versions
tested: v2.6.0 (commit 03243809936cce826494b5506f724c6dc11115b1, as-of 2026-01-24)
range: unknown; likely affects earlier v2.x releases that include the same upload flow
Impact
Credential leak to an attacker-controlled endpoint and client-side ssrf to a cross-host target.
Affected Component
registry/remote/repository.go:878-916(blobStore.completePushAfterInitialPost)Reproduction
Attachments include
poc.zipwith a local-only harness (no real registry required). It runs a fake registry server that returns a cross-hostLocationand a second server that records whether it receivedAuthorization.unzip -q -o poc.zip -d /tmp/poc cd /tmp/poc/poc-F-ORAS-LOCATION-UPLOAD-001 make canonical make controlRecommended Fix
Locationbefore uploading (scheme + hostname + effective port) against the original request, or require an explicit opt-in allowlist for cross-host upload urlsAuthorizationwhen the upload target changes host or schemereferences
registry/remote/repository.go(seeblobStore.completePushAfterInitialPost)Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
oras-go has file store write outside workingDir via symlink traversal
CVE-2026-50162 / GHSA-8xwf-rjm4-xvhv
More information
Details
The file content store in
oras-goattempts to confine writes toworkingDirwhenAllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. IfworkingDircontains a symlink path component and an attacker-controlled blob title (viaocispec.AnnotationTitle) targets a path under that symlink,pushFile()can create a file outsideworkingDir.relevant links
resolveWritePath()(used bypushFile())vulnerability details
pins: oras-project/oras-go@0324380
as-of: 2026-02-17
policy: GitHub Security Advisory (oras-project/oras-go)
callsite: content/file/file.go:609
resolveWritePath()→pushFile()attacker control: Attacker controls the pushed name (
ocispec.AnnotationTitle) and can select a path with a symlink path component underworkingDir→resolveWritePath()blocks..viafilepath.Relbut does not prevent symlink traversal →pushFile()opens/creates the final path and follows the symlink → a file is created outsideworkingDirroot cause
resolveWritePath()enforces the write boundary using afilepath.Rel-style check againstworkingDir. This prevents../escapes but is purely lexical and does not resolve symlinks. If a path component underworkingDiris a symlink to an external location, the subsequent filesystem operation inpushFile()follows that symlink and performs the write outsideworkingDirwhile still passing the lexical boundary check.attack path
ocispec.AnnotationTitle) that contains a path likeout/pwn.txt.oras-gofile store withAllowPathTraversalOnWrite=falseand aworkingDirthat contains a symlink directoryout -> /some/outside/dir.out/pwn.txtas being underworkingDir./some/outside/dir/pwn.txt.impact
This is a filesystem boundary bypass that permits writes outside
workingDirwhen a symlink path component exists underworkingDir. The concrete security impact depends on the runtime environment (what filesystem locations are writable by the process and what downstream consumers do with the written file), but the intended confinement guarantee is violated.proof of concept
the attached
poc.zipcontains a small, self-contained go harness that demonstrates:[CALLSITE_HIT]and[PROOF_MARKER]and shows the file is created outsideworkingDir[NC_MARKER]and confirms no outside write occursrun:
expected: when
AllowPathTraversalOnWrite=false, file store writes should not be able to escapeworkingDir, including via symlink traversal.actual: A symlink path component under
workingDirallows writes to escapeworkingDireven whenAllowPathTraversalOnWrite=false.recommended fix
ensure confinement checks account for symlink traversal. Options include rejecting symlinks in any path component (walk components with
os.Lstat), validating the resolved parent directory viaEvalSymlinksand enforcing it remains under the resolvedworkingDir, or using anopenat()-style approach so the check and open happen relative to a trusted directory file descriptor.fix accepted when: The canonical PoC no longer prints
[PROOF_MARKER]for the same attacker-controlled inputs.cheers,
Oleh
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ORAS Go forwards registry credentials across registry redirects
GHSA-vh4v-2xq2-g5cg
More information
Details
ORAS Go forwards registry credentials across registry redirects
Reporter / public credit: JUNYI LIU
Summary
ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects.
There are two related paths:
Authorizationheader to the redirect target.POSTauthenticates to the origin registry, then the origin returns an uploadLocationon another host or port. The follow-upPUTcan carry the originAuthorizationheader to theLocationtarget.The upload
Locationissue appears related to the existing public fix in pull request #1152 / GHSA-jxpm-75mh-9fp7. The manifest redirect path is a residual adjacent route: the v2 branch after the uploadLocationfix still forwards Basic credentials on an authenticated manifest redirect.Impact
A registry response can cause an ORAS Go or ORAS CLI client to send configured registry credentials to an unintended endpoint. In common workflows, those credentials may come from a registry config / Docker-style auth file rather than command-line flags.
This is a credential exposure across the registry-origin boundary. I am not claiming remote code execution, registry compromise, arbitrary token theft, or live third-party impact.
Affected Versions Tested
oras-go v2.6.0: affected.oras-gomain at commita57383e580c8f2c97fb67dedfc5c9945c8c3614e: affected.oras-gov2 branch at commitd593d504779be8b69f0ba034ac9fd407d1fc8cfc: uploadLocationpath is blocked, but manifest redirect credential forwarding is still affected.3d2646279c70ba60415440e44c2ff97896e4a209, usingoras-go v2.6.0: affected when using--registry-config.Security Invariant
Credentials resolved for one registry origin should not be silently forwarded to a different origin reached through a registry redirect or upload
Locationresponse.Local Reproduction Overview
All testing used loopback servers and fake credentials only.
Manifest redirect flow:
401with a Basic challenge.307to another port on the same hostname.Authorizationheader.ORAS CLI stored-credential flow:
Authorizationheader.Blob upload
Locationflow:POSTto the origin registry.POST.LocationURL on another port.PUTto theLocationtarget carries the originAuthorizationheader.Expected Result
Redirect and upload
Locationtargets on a different HTTP origin should not receive the originAuthorizationheader.Observed Result
In affected versions, redirect or
Locationsinks received:Authorization: Basic <base64 origin_user:origin_pass>Standalone Reproducer
Candidate Fix
The candidate fix does two things:
Authorizationis removed when a redirect changes HTTP origin, while preserving any caller-providedCheckRedirectcallback.POSTAuthorizationheader when the uploadLocationremains on the same HTTP origin.The patch also adds regression coverage for both redirect cases:
Validation Performed
The repaired candidate fix blocked:
Locationcredential forwarding.Targeted tests passed:
Prior Art / Duplicate Notes
Public pull request #1152 fixes credential forwarding via unvalidated blob upload
Locationand references GHSA-jxpm-75mh-9fp7. The residual manifest redirect path described here is adjacent but not covered by that PR's stated uploadLocationscope.Bearer realm credential exfiltration appears to be a separate issue family and is not part of this report's primary claim.
Claim Boundaries
Proven:
Locationorigin in local loopback tests.Locationcredential exposures.Not claimed:
Locationorigin transitions.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
oras-go has file store write outside workingDir via symlink traversal
CVE-2026-50162 / GHSA-8xwf-rjm4-xvhv
More information
Details
The file content store in
oras-goattempts to confine writes toworkingDirwhenAllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. IfworkingDircontains a symlink path component and an attacker-controlled blob title (viaocispec.AnnotationTitle) targets a path under that symlink,pushFile()can create a file outsideworkingDir.relevant links
resolveWritePath()(used bypushFile())vulnerability details
pins: oras-project/oras-go@0324380
as-of: 2026-02-17
policy: GitHub Security Advisory (oras-project/oras-go)
callsite: content/file/file.go:609
resolveWritePath()→pushFile()attacker control: Attacker controls the pushed name (
ocispec.AnnotationTitle) and can select a path with a symlink path component underworkingDir→resolveWritePath()blocks..viafilepath.Relbut does not prevent symlink traversal →pushFile()opens/creates the final path and follows the symlink → a file is created outsideworkingDirroot cause
resolveWritePath()enforces the write boundary using afilepath.Rel-style check againstworkingDir. This prevents../escapes but is purely lexical and does not resolve symlinks. If a path component underworkingDiris a symlink to an external location, the subsequent filesystem operation inpushFile()follows that symlink and performs the write outsideworkingDirwhile still passing the lexical boundary check.attack path
ocispec.AnnotationTitle) that contains a path likeout/pwn.txt.oras-gofile store withAllowPathTraversalOnWrite=falseand aworkingDirthat contains a symlink directoryout -> /some/outside/dir.out/pwn.txtas being underworkingDir./some/outside/dir/pwn.txt.impact
This is a filesystem boundary bypass that permits writes outside
workingDirwhen a symlink path component exists underworkingDir. The concrete security impact depends on the runtime environment (what filesystem locations are writable by the process and what downstream consumers do with the written file), but the intended confinement guarantee is violated.proof of concept
the attached
poc.zipcontains a small, self-contained go harness that demonstrates:[CALLSITE_HIT]and[PROOF_MARKER]and shows the file is created outsideworkingDir[NC_MARKER]and confirms no outside write occursrun:
expected: when
AllowPathTraversalOnWrite=false, file store writes should not be able to escapeworkingDir, including via symlink traversal.actual: A symlink path component under
workingDirallows writes to escapeworkingDireven whenAllowPathTraversalOnWrite=false.recommended fix
ensure confinement checks account for symlink traversal. Options include rejecting symlinks in any path component (walk components with
os.Lstat), validating the resolved parent directory viaEvalSymlinksand enforcing it remains under the resolvedworkingDir, or using anopenat()-style approach so the check and open happen relative to a trusted directory file descriptor.fix accepted when: The canonical PoC no longer prints
[PROOF_MARKER]for the same attacker-controlled inputs.cheers,
Oleh
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
oras-gotar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolutionCVE-2026-50163 / GHSA-fxhp-mv3v-67qp
More information
Details
Root cause
The tar-extraction helper
ensureLinkPathatcontent/file/utils.go:262-275validates that a hardlink's target resolves inside the extract base, but then returns the original unresolvedtargetstring back to the caller:The caller for
TypeLinkhardlinks then does:os.Link(oldname, newname)wraps thelink(2)system call. From thelink(2)man page:So when
target(i.e.,header.Linkname) is a relative path,os.Linkresolves it against the process's current working directory, not againstfilepath.Dir(link)as the validation assumed.Attack
An attacker who controls an OCI-compliant registry (or any artifact source the victim consumes via
oras pull) crafts a tarball layer with:payload.tar.gz/README.txt.Typeflag=TypeLink,Name=payload.tar.gz/evil_cwd_link,Linkname="victim.secret"(relative).and marks the layer descriptor with
io.deis.oras.content.unpack: "true"(a standard annotation that tellsoras-goto auto-extract).When a victim runs
oras pull(or any Go code usingcontent.File), the extraction:payload.tar.gz/evil_cwd_link— passes.ensureLinkPath(dirPath, "payload.tar.gz", filePath, "victim.secret"):path = filepath.Join(filepath.Dir(filePath), "victim.secret")=<extract_base>/payload.tar.gz/victim.secret→ inside base → validation passes.target = "victim.secret"(NOTpath).os.Link("victim.secret", "<extract_base>/payload.tar.gz/evil_cwd_link").link(2)resolves relativeoldname="victim.secret"against process CWD → creates a hardlink inside the extract tree pointing to<invoker_CWD>/victim.secret.The resulting hardlink and the CWD file share an inode — reading one reads the other; writing to one writes to the other.
Proof of Concept
Tested on Ubuntu 24.04.4 LTS with
orasCLI v1.3.0 (SHA-256040e140304b7dbdd9b40dacd798e2303cea44ad84eeb210750afdf15f1dcf8b4, downloaded from https://github.com/oras-project/oras/releases/download/v1.3.0/oras_1.3.0_linux_amd64.tar.gz).Reproduction script (standalone, ~50 lines) attached. Summary of key steps:
Observed output:
A library-level regression test is also provided (
poc_test.go) that drops intocontent/file/utils_test.goand runs viago test ./content/file/... -run TestPoC— output shows identical inode match for consumers of the library API.Impact
Primary: arbitrary-CWD-file read primitive. An attacker-controlled OCI artifact, when pulled by a victim using the
orasCLI or any Go program usingoras-go/v2/content/file, can create a hardlink inside the victim's extract tree pointing to an arbitrary file in the victim's process CWD (that the invoker UID is permitted to read). Reading the extract-tree hardlink yields that file's contents verbatim.Secondary: inode-sharing tampering primitive. Any tool that later modifies the extract-tree hardlink (write, chmod, truncate, etc.) modifies the CWD file through the shared inode. This violates the "writes inside the extract dir are confined" invariant that downstream tooling (CI systems, container-image builders, artifact scanners) typically depends on.
High-severity chains:
oras pullruns from a project workspace containing secrets/credentials (.env,.git/config, service-account tokens). The pulled artifact can hardlink those secrets into a location later archived/mounted/published.oras-goto fetch artifacts; their CWD is typically/or/root— very sensitive.oras-goto fetch and re-serve artifacts; each proxy process has a CWD with configuration, keys, or per-tenant state.Not affected:
oras push(tarball creation side):tarDirectoryin the same file explicitly skips hardlink generation (line 65 comment:"We don't support hard links and treat it as regular files"), so pushed content cannot trigger this on the server.TypeSymlink):os.Symlinkstores the target string verbatim and does not CWD-resolve at creation time. The currentensureLinkPathreturn-of-targetis correct for symlinks (the existing validation correctly models the symlink-follow path).Attack-surface boundary (
fs.protected_hardlinks)On Linux with
fs.protected_hardlinks=1(default on modern distros),link(2)additionally requires the linking user to have READ + WRITE permission on the source file (permay_linkat()in the kernel). Verified on Ubuntu 24.04: as non-root,ln /etc/passwd /tmp/xreturnsEPERM, and the same via the oras PoC path returnslink passwd /tmp/.../evil_passwd: operation not permitted.So the attacker cannot use this bug to read arbitrary root-owned files (e.g.,
/etc/shadow) when the victim invokesoras pullas a regular user. The attack surface depends on the invocation context:oras pullrun by a regular user.env,.git/config,.aws/credentials,~/.ssh/config, project-local secrets, CI workspace files.oras pullrun as root (systemd withoutUser=, container entrypoint default root, Kubernetes operator)/etc/shadow,/root/.ssh/id_rsa, bind-mounted host paths, service private keys.The user-context attack surface alone is sufficient for supply-chain-grade impact: CI pipelines and developer machines routinely hold API keys, signing keys, and cloud credentials in user-owned files in the working directory. The root-context escalation makes the bug Critical in mainstream Kubernetes/GitOps tooling where oras-go is adopted for artifact distribution.
Proposed fix
Change
ensureLinkPathto expose both the verbatim target (for symlinks) and the resolved absolute path (for hardlinks); have theTypeLinkcase use the resolved path.Regression test to add:
Extend
Test_extractTarDirectory_HardLinkwith a third sub-test that:t.TempDir()(or an explicitlyos.Chdir-entered directory) with a known name, e.g.sentinel.txt.TypeLinkentry withLinkname: "sentinel.txt"(relative).extractTarDirectoryreturned an error, OR the resulting hardlink's inode does NOT match the sentinel's inode.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
CVE-2026-50151 / GHSA-jxpm-75mh-9fp7
More information
Details
Summary
oras-go follows a registry-controlled
Locationheader during the monolithic blob upload flow and reuses theAuthorizationheader from the initialPOSTrequest for the subsequentPUTrequest. If a malicious registry returns a cross-hostLocation, oras-go can send the caller's credentials to an attacker-controlled endpoint.Affected Versions
tested: v2.6.0 (commit 03243809936cce826494b5506f724c6dc11115b1, as-of 2026-01-24)
range: unknown; likely affects earlier v2.x releases that include the same upload flow
Impact
Credential leak to an attacker-controlled endpoint and client-side ssrf to a cross-host target.
Affected Component
registry/remote/repository.go:878-916(blobStore.completePushAfterInitialPost)Reproduction
Attachments include
poc.zipwith a local-only harness (no real registry required). It runs a fake registry server that returns a cross-hostLocationand a second server that records whether it receivedAuthorization.unzip -q -o poc.zip -d /tmp/poc cd /tmp/poc/poc-F-ORAS-LOCATION-UPLOAD-001 make canonical make controlRecommended Fix
Locationbefore uploading (scheme + hostname + effective port) against the original request, or require an explicit opt-in allowlist for cross-host upload urlsAuthorizationwhen the upload target changes host or schemereferences
registry/remote/repository.go(seeblobStore.completePushAfterInitialPost)Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
ORAS Go forwards registry credentials across registry redirects
GHSA-vh4v-2xq2-g5cg
More information
Details
ORAS Go forwards registry credentials across registry redirects
Reporter / public credit: JUNYI LIU
Summary
ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects.
There are two related paths:
Authorizationheader to the redirect target.POSTauthenticates to the origin registry, then the origin returns an uploadLocationon another host or port. The follow-upPUTcan carry the originAuthorizationheader to theLocationtarget.The upload
Locationissue appears related to the existing public fix in pull request #1152 / GHSA-jxpm-75mh-9fp7. The manifest redirect path is a residual adjacent route: the v2 branch after the uploadLocationfix still forwards Basic credentials on an authenticated manifest redirect.Impact
A registry response can cause an ORAS Go or ORAS CLI client to send configured registry credentials to an unintended endpoint. In common workflows, those credentials may come from a registry config / Docker-style auth file rather than command-line flags.
This is a credential exposure across the registry-origin boundary. I am not claiming remote code execution, registry compromise, arbitrary token theft, or live third-party impact.
Affected Versions Tested
oras-go v2.6.0: affected.oras-gomain at commita57383e580c8f2c97fb67dedfc5c9945c8c3614e: affected.oras-gov2 branch at commitd593d504779be8b69f0ba034ac9fd407d1fc8cfc: uploadLocationpath is blocked, but manifest redirect credential forwarding is still affected.3d2646279c70ba60415440e44c2ff97896e4a209, usingoras-go v2.6.0: affected when using--registry-config.Security Invariant
Credentials resolved for one registry origin should not be silently forwarded to a different origin reached through a registry redirect or upload
Locationresponse.Local Reproduction Overview
All testing used loopback servers and fake credentials only.
Manifest redirect flow:
401with a Basic challenge.307to another port on the same hostname.Authorizationheader.ORAS CLI stored-credential flow:
Authorizationheader.Blob upload
Locationflow:POSTto the origin registry.POST.LocationURL on another port.PUTto theLocationtarget carries the originAuthorizationheader.Expected Result
Redirect and upload
Locationtargets on a different HTTP origin should not receive the originAuthorizationheader.Observed Result
In affected versions, redirect or
Locationsinks received:Authorization: Basic <base64 origin_user:origin_pass>Standalone Reproducer
Candidate Fix
The candidate fix does two things:
Authorizationis removed when a redirect changes HTTP origin, while preserving any caller-providedCheckRedirectcallback.POSTAuthorizationheader when the uploadLocationremains on the same HTTP origin.The patch also adds regression coverage for both redirect cases:
Validation Performed
The repaired candidate fix blocked:
Locationcredential forwarding.Targeted tests passed:
Prior Art / Duplicate Notes
Public pull request #1152 fixes credential forwarding via unvalidated blob upload
Locationand references GHSA-jxpm-75mh-9fp7. The residual manifest redirect path described here is adjacent but not covered by that PR's stated uploadLocationscope.Bearer realm credential exfiltration appears to be a separate issue family and is not part of this report's primary claim.