VYPR
Medium severity4.9OSV Advisory· Published Jul 25, 2025· Updated Jun 17, 2026

CVE-2025-30086

CVE-2025-30086

Description

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/goharbor/harborGo
>= 2.13.0, < 2.13.12.13.1
github.com/goharbor/harborGo
>= 2.4.0-rc1.1, < 2.12.42.12.4
github.com/goharbor/harborGo
< 2.4.0-rc1.0.20250331071157-dce7d9f5cffb2.4.0-rc1.0.20250331071157-dce7d9f5cffb

Affected products

3

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.