CVE-2025-30086
published 2025-07-25CVE-2025-30086: CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the…
PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.61%
44.6th percentile
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | >= 0 < 2.4.0-rc1.0.20250331071157-dce7d9f5cffb | 2.4.0-rc1.0.20250331071157-dce7d9f5cffb |
| github.com | goharbor_harbor | >= 0 < 2.12.4+incompatible | 2.12.4+incompatible |
| github.com | goharbor_harbor | >= 2.13.0 < 2.13.1 | 2.13.1 |
| github.com | goharbor_harbor | >= 2.13.0+incompatible < 2.13.1+incompatible | 2.13.1+incompatible |
| github.com | goharbor_harbor | >= 2.4.0-rc1.1 < 2.12.4 | 2.12.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Possible ORM Leak Vulnerability in the Harbor in github.com/goharbor/harbor
osv·2025-07-29
CVE-2025-30086 Possible ORM Leak Vulnerability in the Harbor in github.com/goharbor/harbor
Possible ORM Leak Vulnerability in the Harbor in github.com/goharbor/harbor
Possible ORM Leak Vulnerability in the Harbor in github.com/goharbor/harbor.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/goharbor/harbor before v2.4.0-rc1.0.20250331071157-dce7d9f5cffb.
GHSA
Possible ORM Leak Vulnerability in the Harbor
ghsa·2025-07-23
CVE-2025-30086 [MEDIUM] CWE-200 Possible ORM Leak Vulnerability in the Harbor
Possible ORM Leak Vulnerability in the Harbor
### Impact
Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user's password hash character by character.
An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the `q` URL p
OSV
Possible ORM Leak Vulnerability in the Harbor
osv·2025-07-23
CVE-2025-30086 [MEDIUM] Possible ORM Leak Vulnerability in the Harbor
Possible ORM Leak Vulnerability in the Harbor
### Impact
Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user's password hash character by character.
An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the `q` URL p
No detection rules found.
No public exploits indexed.
2025-07-25
Published