Oras-Go Tar Extraction Vulnerability Allows Current Working Directory Escape (CVE-2026-50163)
An attacker can craft a malicious OCI artifact with a tarball layer containing a hardlink entry that uses a relative path for its target, which, when extracted by `oras-go` (<= 2.6.1) or the `oras` CLI, allows the hardlink to resolve against the process's current working directory (CWD) instead of the intended extraction base, leading to arbitrary file read or modification in the victim's CWD via an inode-sharing vulnerability.
A critical vulnerability (CVE-2026-50163) has been identified in oras-go/v2 versions <= 2.6.1, including the oras CLI tool, that allows for arbitrary file reading and modification during OCI artifact extraction. An attacker can exploit this by crafting a malicious OCI artifact with a tarball layer containing a hardlink entry whose target is a relative path (e.g., victim.secret). When a victim uses oras pull or any Go application leveraging the vulnerable oras-go/v2/content/file package to extract this artifact, a flaw in the ensureLinkPath function causes the os.Link system call to resolve the relative hardlink target against the invoking process's current working directory (CWD) instead of the intended artifact extraction base. This enables the creation of a hardlink within the extraction directory that points to a sensitive file in the victim's CWD, allowing attackers to exfiltrate or tamper with files like .env, .git/config, or cloud credentials. The impact is elevated to critical if the oras pull operation is executed with root privileges, granting access to virtually any file on the host system.
Attack Chain
- An attacker crafts a malicious OCI artifact layer containing a hardlink entry (
Typeflag=TypeLink,Linkname="victim.secret", wherevictim.secretis a relative path). The layer is specifically annotated for auto-extraction (io.deis.oras.content.unpack: "true"). - The malicious artifact is published to an OCI-compliant registry controlled by the attacker or a compromised one.
- A victim executes
oras pull(or any Go code usingoras-go/v2/content/file) to retrieve the artifact, with their current working directory (CWD) containing a sensitive file namedvictim.secret. - During extraction,
oras-go'sensureLinkPathfunction validates the hardlink. Due to a logic flaw, it incorrectly returns the original relativeLinkname(victim.secret), despite internally resolving a safe absolute path for validation. - The
os.Linksystem call is then invoked with this relativevictim.secretas theoldnameparameter. Instead of resolving relative to the extraction base,os.Linkresolves it against the process's CWD. - A hardlink is created inside the victim's artifact extraction directory (e.g.,
extract/payload.tar.gz/evil_cwd_link), pointing to the sensitivevictim.secretfile located in the victim's CWD. - The attacker, by subsequently accessing the extracted artifact (e.g., reading the
evil_cwd_linkfile), can now read the contents of the sensitivevictim.secretfile from the victim's CWD or modify its contents through the shared inode.
Impact
This vulnerability presents an arbitrary file read primitive, allowing an attacker to access sensitive files from the victim's current working directory (CWD). If oras pull is run by a regular user, files like .env, .git/config, .aws/credentials, SSH configurations, project-local secrets, or CI workspace files are at risk. In high-severity scenarios, such as when oras pull is run as root (e.g., within Kubernetes operators, systemd services without User= isolation, or container entrypoints), the attacker gains the ability to read or tamper with virtually any file on the host filesystem, including /etc/shadow, /root/.ssh/id_rsa, or bind-mounted host paths, making it a critical threat to CI pipelines, container orchestration, and multi-tenant environments. The PoC demonstrated successful inode sharing on Ubuntu 24.04.4 LTS, confirming the ability to access CWD files through the created hardlink.
Recommendation
- Patch CVE-2026-50163 immediately: Upgrade
oras-go/v2to a version greater than 2.6.1. FororasCLI users, upgrade to the latest patched version when available. - Implement
fs.protected_hardlinks: Ensurefs.protected_hardlinks=1is enabled on Linux systems. While not a full fix for user-owned files, this mitigates unauthorized hardlinking of root-owned files when the victim process runs as a regular user. - Minimize
oras pullCWD exposure: Restrict the environment whereoras pullororas-golibrary calls are executed. Do not runoras pullfrom directories containing sensitive files. - Limit
oras pullprivileges: Avoid runningoras pullas a privileged user (e.g.,root) in production or CI/CD environments. Utilize user namespaces, unprivileged containers, orUser=directives in systemd where applicable.
Indicators of compromise
1
domain
1
hash_sha256
1
url
| Type | Value |
|---|---|
| hash_sha256 | 040e140304b7dbdd9b40dacd798e2303cea44ad84eeb210750afdf15f1dcf8b4 |
| url | https://github.com/oras-project/oras/releases/download/v1.3.0/oras_1.3.0_linux_amd64.tar.gz |
| domain | oras.land |