CVE-2026-50151

oras-project · oras-go

The oras-go Go library for managing OCI artifacts is vulnerable to server-side request forgery (SSRF) due to improper input validation.

Executive summary

A server-side request forgery vulnerability in the oras-go library allows unauthenticated attackers to perform unauthorized requests to internal resources.

Vulnerability

The library is susceptible to server-side request forgery (CWE-918), where an unauthenticated attacker can manipulate the library to send requests to unintended internal destinations.

Business impact

This vulnerability could allow an attacker to bypass network boundaries, potentially accessing internal services or sensitive configuration endpoints that are not exposed to the public internet. With a CVSS score of 7.5, this high severity flaw represents a significant risk to internal network security and data confidentiality.

Remediation

Immediate Action: Update the oras-go library to version 2.6.1 or later to implement proper input validation and prevent unauthorized request redirection.

Proactive Monitoring: Review egress traffic logs from services utilizing oras-go for unexpected connections to internal IP addresses or sensitive local resources.

Compensating Controls: Implement strict network segmentation and egress filtering to ensure that services running this library cannot communicate with internal infrastructure that is not necessary for their operation.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Updating to version 2.6.1 is essential to eliminate the SSRF risk and protect internal network assets. Security teams should audit applications that incorporate the oras-go library to ensure they are updated promptly and operate within a restricted network environment.