Skip to content

security: oras-go v2 ≤2.6.1 hardlink tar-extraction escape (GHSA-fxhp-mv3v-67qp, HIGH) — transitive, no patch yet #5687

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem

Dependabot flags 2 open HIGH alerts (#163 root go.mod, #164 desktop/go.mod) for GHSA-fxhp-mv3v-67qp (CVSS 7.1, published 2026-07-01): oras.land/oras-go/v2 <= 2.6.1 tar extraction — a hardlink entry with a relative Linkname can escape the extraction dir via process-CWD resolution (content/file/utils.go ensureLinkPath validates the resolved path but returns the unresolved one).

No patched release exists yet (first_patched_version: null), so Dependabot cannot open a bump PR.

Exposure

oras-go/v2 v2.6.1 is indirect, pulled by several direct deps: helm.sh/helm/v3@3.20.2, helm.sh/helm/v4@4.2.2, kubescape/v3@3.0.48, loft-sh/vcluster@0.34.5, open-policy-agent/opa@1.14.1, derailed/k9s@0.51.0, rancher/k3k@1.1.0. Likely reachable surface: OCI chart/artifact pulls that extract tars via oras's content/file store (helm OCI, kubescape artifact downloads). Needs a govulncheck reachability pass once the OSV entry lands to confirm whether ksail's call graph actually reaches ensureLinkPath.

Proposed direction

  1. Watch for the patched oras-go/v2 release; when it ships, bump the transitive pin in root + desktop go.mod (go get oras.land/oras-go/v2@<fixed> + tidy both modules) without waiting for the parents to re-pin.
  2. Meanwhile run govulncheck ./... reachability; if unreachable, note it here and deprioritise; if reachable, consider whether any ksail path extracts untrusted OCI artifacts (mitigation: none obvious short of vendoring the fix).
  3. Close when both Dependabot alerts auto-resolve after the bump.

Rough size

Small (a pinned bump + tidy in two modules) once the patch exists; the reachability pass is ~an hour.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions