CVE-2025-30086

Published: Jul 25, 2025

Modified: Jul 25, 2025

PUBLISHED

Description

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/goharbor/harbor/releases

https://www.elttam.com/blog/plormbing-your-django-orm/

https://goharbor.io/blog/

https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-30086

Description

Affected Products

References