Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-8xwf-rjm4-xvhv | oras-go has file store write outside workingDir via symlink traversal |
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in oras-go. The file content store, intended to confine writes to a specified working directory, does not properly account for symbolic link (symlink) traversal. A remote attacker, by providing a specially crafted blob title, could exploit this vulnerability to create files outside the intended working directory. This filesystem boundary bypass allows for arbitrary file creation, potentially leading to unauthorized data modification or system compromise depending on the runtime environment. | oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, resolveWritePath() in content/file/file.go uses a lexical filepath.Rel check for workingDir and does not account for symlink traversal, so when AllowPathTraversalOnWrite=false an attacker-controlled blob title through ocispec.AnnotationTitle such as out/pwn.txt can follow a workingDir symlink out -> /some/outside/dir and cause pushFile() to create /some/outside/dir/pwn.txt outside workingDir. This issue is fixed in version 2.6.1. |
| Title | oras-go: oras-go: File store write outside working directory via symlink traversal | oras-go: file store write outside workingDir via symlink traversal |
| Weaknesses | CWE-73 | |
| References |
| |
| Metrics |
cvssV4_0
|
Tue, 14 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in oras-go. The file content store, intended to confine writes to a specified working directory, does not properly account for symbolic link (symlink) traversal. A remote attacker, by providing a specially crafted blob title, could exploit this vulnerability to create files outside the intended working directory. This filesystem boundary bypass allows for arbitrary file creation, potentially leading to unauthorized data modification or system compromise depending on the runtime environment. | |
| Title | oras-go: oras-go: File store write outside working directory via symlink traversal | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:39:28.847Z
Reserved: 2026-06-03T20:54:20.432Z
Link: CVE-2026-50162
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T16:00:05Z
Github GHSA