GHSA-h27m-3qw8-3pw8: Possible ORM Leak Vulnerability in the Harbor

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-30086

Possible ORM Leak Vulnerability in the Harbor

Moderate severity GitHub Reviewed Published Jul 23, 2025 in goharbor/harbor • Updated Jul 23, 2025

Package

gomod github.com/goharbor/harbor (Go)

Affected versions

= 2.13.0

>= 2.4.0-rc1.1, < 2.12.4

< 2.4.0-rc1.0.20250331071157-dce7d9f5cffb

Patched versions

2.13.1

2.12.4

2.4.0-rc1.0.20250331071157-dce7d9f5cffb

Impact

Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the /api/v2.0/users endpoint to leak users’ password hash and salt values. This vulnerability was introduced into the application because the q URL parameter allowed the administrator to filter users by any column, and the filter password=~ could be abused to leak out a user’s password hash character by character.

An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users’ password hashes and salts. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information.

Patches

No available

Workarounds

NA

References****Credit

alex@elttam.com

References

• GHSA-h27m-3qw8-3pw8
• goharbor/harbor@dce7d9f

Published to the GitHub Advisory Database

Jul 23, 2025

Last updated

Jul 23, 2025