<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Oras-Go/V2 (&lt;= 2.6.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/oras-go/v2--2.6.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:25:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/oras-go/v2--2.6.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Oras-Go Tar Extraction Vulnerability Allows Current Working Directory Escape (CVE-2026-50163)</title><link>https://feed.craftedsignal.io/briefs/2026-07-oras-go-tar-extraction-cwd-escape/</link><pubDate>Fri, 03 Jul 2026 12:25:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-oras-go-tar-extraction-cwd-escape/</guid><description>An attacker can craft a malicious OCI artifact with a tarball layer containing a hardlink entry that uses a relative path for its target, which, when extracted by `oras-go` (&lt;= 2.6.1) or the `oras` CLI, allows the hardlink to resolve against the process's current working directory (CWD) instead of the intended extraction base, leading to arbitrary file read or modification in the victim's CWD via an inode-sharing vulnerability.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-50163) has been identified in <code>oras-go/v2</code> versions &lt;= 2.6.1, including the <code>oras</code> CLI tool, that allows for arbitrary file reading and modification during OCI artifact extraction. An attacker can exploit this by crafting a malicious OCI artifact with a tarball layer containing a hardlink entry whose target is a relative path (e.g., <code>victim.secret</code>). When a victim uses <code>oras pull</code> or any Go application leveraging the vulnerable <code>oras-go/v2/content/file</code> package to extract this artifact, a flaw in the <code>ensureLinkPath</code> function causes the <code>os.Link</code> system call to resolve the relative hardlink target against the invoking process's current working directory (CWD) instead of the intended artifact extraction base. This enables the creation of a hardlink within the extraction directory that points to a sensitive file in the victim's CWD, allowing attackers to exfiltrate or tamper with files like <code>.env</code>, <code>.git/config</code>, or cloud credentials. The impact is elevated to critical if the <code>oras pull</code> operation is executed with root privileges, granting access to virtually any file on the host system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious OCI artifact layer containing a hardlink entry (<code>Typeflag=TypeLink</code>, <code>Linkname=&quot;victim.secret&quot;</code>, where <code>victim.secret</code> is a relative path). The layer is specifically annotated for auto-extraction (<code>io.deis.oras.content.unpack: &quot;true&quot;</code>).</li>
<li>The malicious artifact is published to an OCI-compliant registry controlled by the attacker or a compromised one.</li>
<li>A victim executes <code>oras pull</code> (or any Go code using <code>oras-go/v2/content/file</code>) to retrieve the artifact, with their current working directory (CWD) containing a sensitive file named <code>victim.secret</code>.</li>
<li>During extraction, <code>oras-go</code>'s <code>ensureLinkPath</code> function validates the hardlink. Due to a logic flaw, it incorrectly returns the original relative <code>Linkname</code> (<code>victim.secret</code>), despite internally resolving a safe absolute path for validation.</li>
<li>The <code>os.Link</code> system call is then invoked with this relative <code>victim.secret</code> as the <code>oldname</code> parameter. Instead of resolving relative to the extraction base, <code>os.Link</code> resolves it against the process's CWD.</li>
<li>A hardlink is created inside the victim's artifact extraction directory (e.g., <code>extract/payload.tar.gz/evil_cwd_link</code>), pointing to the sensitive <code>victim.secret</code> file located in the victim's CWD.</li>
<li>The attacker, by subsequently accessing the extracted artifact (e.g., reading the <code>evil_cwd_link</code> file), can now read the contents of the sensitive <code>victim.secret</code> file from the victim's CWD or modify its contents through the shared inode.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability presents an arbitrary file read primitive, allowing an attacker to access sensitive files from the victim's current working directory (CWD). If <code>oras pull</code> is run by a regular user, files like <code>.env</code>, <code>.git/config</code>, <code>.aws/credentials</code>, SSH configurations, project-local secrets, or CI workspace files are at risk. In high-severity scenarios, such as when <code>oras pull</code> is run as root (e.g., within Kubernetes operators, systemd services without <code>User=</code> isolation, or container entrypoints), the attacker gains the ability to read or tamper with virtually any file on the host filesystem, including <code>/etc/shadow</code>, <code>/root/.ssh/id_rsa</code>, or bind-mounted host paths, making it a critical threat to CI pipelines, container orchestration, and multi-tenant environments. The PoC demonstrated successful inode sharing on Ubuntu 24.04.4 LTS, confirming the ability to access CWD files through the created hardlink.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-50163 immediately:</strong> Upgrade <code>oras-go/v2</code> to a version greater than 2.6.1. For <code>oras</code> CLI users, upgrade to the latest patched version when available.</li>
<li><strong>Implement <code>fs.protected_hardlinks</code>:</strong> Ensure <code>fs.protected_hardlinks=1</code> is enabled on Linux systems. While not a full fix for user-owned files, this mitigates unauthorized hardlinking of root-owned files when the victim process runs as a regular user.</li>
<li><strong>Minimize <code>oras pull</code> CWD exposure:</strong> Restrict the environment where <code>oras pull</code> or <code>oras-go</code> library calls are executed. Do not run <code>oras pull</code> from directories containing sensitive files.</li>
<li><strong>Limit <code>oras pull</code> privileges:</strong> Avoid running <code>oras pull</code> as a privileged user (e.g., <code>root</code>) in production or CI/CD environments. Utilize user namespaces, unprivileged containers, or <code>User=</code> directives in systemd where applicable.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>supply-chain</category><category>go</category><category>linux</category><category>tar</category><category>hardlink</category><category>path-traversal</category><category>arbitrary-file-read</category><category>code-execution</category></item></channel></rss>