{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/oras-go/v2--2.6.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oras-go/v2 (\u003c= 2.6.1)","oras CLI"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","go","linux","tar","hardlink","path-traversal","arbitrary-file-read","code-execution"],"_cs_type":"advisory","_cs_vendors":["oras-project"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-50163) has been identified in \u003ccode\u003eoras-go/v2\u003c/code\u003e versions \u0026lt;= 2.6.1, including the \u003ccode\u003eoras\u003c/code\u003e CLI tool, that allows for arbitrary file reading and modification during OCI artifact extraction. An attacker can exploit this by crafting a malicious OCI artifact with a tarball layer containing a hardlink entry whose target is a relative path (e.g., \u003ccode\u003evictim.secret\u003c/code\u003e). When a victim uses \u003ccode\u003eoras pull\u003c/code\u003e or any Go application leveraging the vulnerable \u003ccode\u003eoras-go/v2/content/file\u003c/code\u003e package to extract this artifact, a flaw in the \u003ccode\u003eensureLinkPath\u003c/code\u003e function causes the \u003ccode\u003eos.Link\u003c/code\u003e system call to resolve the relative hardlink target against the invoking process's current working directory (CWD) instead of the intended artifact extraction base. This enables the creation of a hardlink within the extraction directory that points to a sensitive file in the victim's CWD, allowing attackers to exfiltrate or tamper with files like \u003ccode\u003e.env\u003c/code\u003e, \u003ccode\u003e.git/config\u003c/code\u003e, or cloud credentials. The impact is elevated to critical if the \u003ccode\u003eoras pull\u003c/code\u003e operation is executed with root privileges, granting access to virtually any file on the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OCI artifact layer containing a hardlink entry (\u003ccode\u003eTypeflag=TypeLink\u003c/code\u003e, \u003ccode\u003eLinkname=\u0026quot;victim.secret\u0026quot;\u003c/code\u003e, where \u003ccode\u003evictim.secret\u003c/code\u003e is a relative path). The layer is specifically annotated for auto-extraction (\u003ccode\u003eio.deis.oras.content.unpack: \u0026quot;true\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious artifact is published to an OCI-compliant registry controlled by the attacker or a compromised one.\u003c/li\u003e\n\u003cli\u003eA victim executes \u003ccode\u003eoras pull\u003c/code\u003e (or any Go code using \u003ccode\u003eoras-go/v2/content/file\u003c/code\u003e) to retrieve the artifact, with their current working directory (CWD) containing a sensitive file named \u003ccode\u003evictim.secret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring extraction, \u003ccode\u003eoras-go\u003c/code\u003e's \u003ccode\u003eensureLinkPath\u003c/code\u003e function validates the hardlink. Due to a logic flaw, it incorrectly returns the original relative \u003ccode\u003eLinkname\u003c/code\u003e (\u003ccode\u003evictim.secret\u003c/code\u003e), despite internally resolving a safe absolute path for validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.Link\u003c/code\u003e system call is then invoked with this relative \u003ccode\u003evictim.secret\u003c/code\u003e as the \u003ccode\u003eoldname\u003c/code\u003e parameter. Instead of resolving relative to the extraction base, \u003ccode\u003eos.Link\u003c/code\u003e resolves it against the process's CWD.\u003c/li\u003e\n\u003cli\u003eA hardlink is created inside the victim's artifact extraction directory (e.g., \u003ccode\u003eextract/payload.tar.gz/evil_cwd_link\u003c/code\u003e), pointing to the sensitive \u003ccode\u003evictim.secret\u003c/code\u003e file located in the victim's CWD.\u003c/li\u003e\n\u003cli\u003eThe attacker, by subsequently accessing the extracted artifact (e.g., reading the \u003ccode\u003eevil_cwd_link\u003c/code\u003e file), can now read the contents of the sensitive \u003ccode\u003evictim.secret\u003c/code\u003e file from the victim's CWD or modify its contents through the shared inode.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability presents an arbitrary file read primitive, allowing an attacker to access sensitive files from the victim's current working directory (CWD). If \u003ccode\u003eoras pull\u003c/code\u003e is run by a regular user, files like \u003ccode\u003e.env\u003c/code\u003e, \u003ccode\u003e.git/config\u003c/code\u003e, \u003ccode\u003e.aws/credentials\u003c/code\u003e, SSH configurations, project-local secrets, or CI workspace files are at risk. In high-severity scenarios, such as when \u003ccode\u003eoras pull\u003c/code\u003e is run as root (e.g., within Kubernetes operators, systemd services without \u003ccode\u003eUser=\u003c/code\u003e isolation, or container entrypoints), the attacker gains the ability to read or tamper with virtually any file on the host filesystem, including \u003ccode\u003e/etc/shadow\u003c/code\u003e, \u003ccode\u003e/root/.ssh/id_rsa\u003c/code\u003e, or bind-mounted host paths, making it a critical threat to CI pipelines, container orchestration, and multi-tenant environments. The PoC demonstrated successful inode sharing on Ubuntu 24.04.4 LTS, confirming the ability to access CWD files through the created hardlink.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50163 immediately:\u003c/strong\u003e Upgrade \u003ccode\u003eoras-go/v2\u003c/code\u003e to a version greater than 2.6.1. For \u003ccode\u003eoras\u003c/code\u003e CLI users, upgrade to the latest patched version when available.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement \u003ccode\u003efs.protected_hardlinks\u003c/code\u003e:\u003c/strong\u003e Ensure \u003ccode\u003efs.protected_hardlinks=1\u003c/code\u003e is enabled on Linux systems. While not a full fix for user-owned files, this mitigates unauthorized hardlinking of root-owned files when the victim process runs as a regular user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMinimize \u003ccode\u003eoras pull\u003c/code\u003e CWD exposure:\u003c/strong\u003e Restrict the environment where \u003ccode\u003eoras pull\u003c/code\u003e or \u003ccode\u003eoras-go\u003c/code\u003e library calls are executed. Do not run \u003ccode\u003eoras pull\u003c/code\u003e from directories containing sensitive files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLimit \u003ccode\u003eoras pull\u003c/code\u003e privileges:\u003c/strong\u003e Avoid running \u003ccode\u003eoras pull\u003c/code\u003e as a privileged user (e.g., \u003ccode\u003eroot\u003c/code\u003e) in production or CI/CD environments. Utilize user namespaces, unprivileged containers, or \u003ccode\u003eUser=\u003c/code\u003e directives in systemd where applicable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:25:05Z","date_published":"2026-07-03T12:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-oras-go-tar-extraction-cwd-escape/","summary":"An attacker can craft a malicious OCI artifact with a tarball layer containing a hardlink entry that uses a relative path for its target, which, when extracted by `oras-go` (\u003c= 2.6.1) or the `oras` CLI, allows the hardlink to resolve against the process's current working directory (CWD) instead of the intended extraction base, leading to arbitrary file read or modification in the victim's CWD via an inode-sharing vulnerability.","title":"Oras-Go Tar Extraction Vulnerability Allows Current Working Directory Escape (CVE-2026-50163)","url":"https://feed.craftedsignal.io/briefs/2026-07-oras-go-tar-extraction-cwd-escape/"}],"language":"en","title":"CraftedSignal Threat Feed - Oras-Go/V2 (\u003c= 2.6.1)","version":"https://jsonfeed.org/version/1.1"}