CVE-2025-30086 – github.com/goharbor/harbor

Package

Manager: go
Name: github.com/goharbor/harbor
Vulnerable Version: =2.13.0 || >=2.13.0 <2.13.1 || >=2.4.0-rc1.1 <2.12.4 || >=0 <2.4.0-rc1.0.20250331071157-dce7d9f5cffb

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0004 pctl0.11141

Details

Possible ORM Leak Vulnerability in the Harbor ### Impact Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the `q` URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information. ### Patches No available ### Workarounds NA ### References ### Credit alex@elttam.com

Metadata

Created: 2025-07-23T15:47:31Z
Modified: 2025-07-25T16:23:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-h27m-3qw8-3pw8/GHSA-h27m-3qw8-3pw8.json
CWE IDs: ["CWE-200", "CWE-202"]
Alternative ID: GHSA-h27m-3qw8-3pw8
Finding: F037
Auto approve: 1