CVE-2026-50163

oras-project · oras-go

The oras-go library is affected by path traversal and improper link resolution vulnerabilities, potentially allowing unauthorized file access.

Executive summary

The oras-go library is vulnerable to path traversal and improper link resolution, which could allow an attacker to access files outside the intended directory.

Vulnerability

This vulnerability involves path traversal (CWE-22) and improper link resolution (CWE-59) within the OCI artifact management library. The vulnerability is exploitable by an unauthenticated attacker via a maliciously crafted artifact.

Business impact

Successful exploitation allows an attacker to read sensitive files from the host system where the library is being utilized. Given the CVSS score of 7.1, this represents a significant risk to data confidentiality, potentially leading to the exposure of configuration files, credentials, or other sensitive system data.

Remediation

Immediate Action: Update the oras-go library to version 2.6.2 or later to incorporate the necessary security patches.

Proactive Monitoring: Review application logs for unusual file access patterns or attempts to navigate outside of defined storage directories for OCI artifacts.

Compensating Controls: Ensure that the application utilizing this library runs with the minimum necessary filesystem permissions to restrict the impact of potential directory traversal attempts.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

The high severity of this vulnerability necessitates immediate attention for all users of the oras-go library. Organizations should prioritize updating to version 2.6.2 to remediate the path traversal and link resolution risks, effectively closing the window for potential unauthorized file access.