CVE-2025-30086: Harbor ORM Leak Exposes User Password Hashes

This blog post details a critical vulnerability, CVE-2025-30086, affecting CNCF Harbor, a popular open-source registry for container images. The vulnerability allows administrators with high privileges to potentially leak user password hashes and salts, posing a significant security risk.

Vulnerability Details

CVE ID: CVE-2025-30086
Description: CNCF Harbor versions 2.13.x before 2.13.1 and 2.12.x before 2.12.4 are vulnerable to information disclosure. An ORM Leak present in the /api/v2.0/users endpoint can be exploited by administrators to leak users' password hash and salt values. By abusing the 'q' URL parameter, an attacker can filter users based on any column, including the password, and progressively extract the password hash character by character.
CVSS Score and Vector:
- CVSS v3.1 Score: 4.9 (Medium)
- CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Explanation: This vulnerability has a medium severity because while it requires administrator privileges (HIGH privileges required), it can be exploited remotely (NETWORK attack vector) with low complexity. The main impact is a HIGH confidentiality impact, meaning sensitive information (password hashes) can be exposed, but integrity and availability are not affected.
Exploit Requirements: Administrator privileges are required to exploit this vulnerability.
Affected Vendor, Product, Version:
- Vendor: CNCF
- Product: Harbor
- Affected Versions: 2.13.x before 2.13.1, and 2.12.x before 2.12.4
CWE:
- CWE ID: CWE-200
- CWE Name: Information Exposure
- Explanation: CWE-200 refers to vulnerabilities where sensitive information is unintentionally exposed to unauthorized users. In this case, user password hashes are being leaked.

Timeline of Events

2025-07-25: CVE-2025-30086 is published.

Exploitability & Real-World Risk

The vulnerability is relatively straightforward to exploit for an attacker possessing administrator-level access to a Harbor instance. A malicious administrator could craft specific requests using the 'q' parameter to iteratively extract password hashes from the database. The real-world risk is high, as compromised password hashes could be used for credential stuffing attacks against other services where users might reuse passwords.

Recommendations

Upgrade: Upgrade your Harbor installation to version 2.13.1 or 2.12.4 or later to patch this vulnerability.
Principle of Least Privilege: Review user roles and permissions to ensure that the principle of least privilege is enforced. Restrict administrative access to only those users who absolutely require it.
Monitoring: Monitor API access logs for suspicious activity, particularly requests to the /api/v2.0/users endpoint with unusual 'q' parameter values.

Technical Insight

The vulnerability stems from an ORM (Object-Relational Mapping) leak within Harbor's API. The 'q' URL parameter, designed for filtering user data, allows for arbitrary queries against the database. By injecting specially crafted filter parameters, an attacker can effectively bypass intended security mechanisms and expose sensitive data like password hashes character by character. This is often referred to as an "ORM injection" and can be a very dangerous class of vulnerability.

Credit to Researcher(s)

Credit to the security researcher(s) who discovered and responsibly disclosed this vulnerability. (Details Awaiting Analysis)

CVE-2025-30086: Harbor ORM Leak Exposes User Password Hashes

CVE-2025-30086: Harbor ORM Leak Exposes User Password Hashes

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form