GHSA-qhh4-458h-xwh2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qhh4-458h-xwh2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qhh4-458h-xwh2/GHSA-qhh4-458h-xwh2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qhh4-458h-xwh2
- Published
- 2026-05-08T20:06:00Z
- Modified
- 2026-05-08T20:36:35.342191Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- @cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
- Details
-
Docker registry auth substring match forwards credentials to a different registry
Repository
cdxgen/cdxgenAffected product/package
- Ecosystem: npm
- Package:
@cyclonedx/cdxgen - Reviewed tree version:
12.3.3 - Reviewed commit:
b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:
lib/managers/docker.js - Affected from: v9.9.5
The Single Executable Applications (SEA) binaries and container images are also affected.
Weakness
CWE-522 / CWE-346.
Summary
When cdxgen scans or pulls container images through the Docker daemon API, it builds an
X-Registry-Authheader from Docker credentials inDOCKER_CONFIG/config.json. The credential selection logic matches configured registry keys with substring checks:if (forRegistry && !serverAddress.includes(forRegistry)) { continue; }This is not an origin-safe registry comparison. For example, credentials configured for
private-registry.example.comare selected for a requested image underregistry.example.com, because:"private-registry.example.com".includes("registry.example.com") === trueThe selected credentials are then serialized into
X-Registry-Authfor the Docker API pull request targeting the requested registry.Reproduction
Use the attached/local proof:
node submissions/github-gsa/cdxgen-docker-registry-auth-substring-forwarding/evidence/cdxgen_docker_registry_auth_substring_probe.mjsThe proof is fully local. It creates a temporary Docker config containing credentials for
private-registry.example.com, starts a localhost mock Docker API endpoint, setsDOCKER_HOSTto that endpoint, then calls cdxgen's exported Docker request path for a pull fromregistry.example.com.Observed vulnerable output:
{ "decision": "GO", "dockerConfigAuthHost": "private-registry.example.com", "requestedRegistry": "registry.example.com", "substringMatch": true, "dockerApiUrl": "/images/create?fromImage=registry.example.com/team/app:latest", "headerPresent": true, "decodedHeader": { "username": "trusted-user", "password": "trusted-pass", "serveraddress": "private-registry.example.com" } }Impact
If an operator has Docker credentials for a private registry and uses cdxgen to scan an image from a different registry whose hostname is a substring of that private registry hostname, cdxgen can attach the private registry credentials to the Docker pull request for the different registry.
In a realistic attack, an attacker who controls or can observe the requested registry can induce a victim to scan an image from that registry. The Docker daemon API receives an
X-Registry-Authpayload containing credentials for the victim's private registry but associated with the attacker-requested pull. This is a credential forwarding/misbinding issue in cdxgen's container image handling.References
Functions
normalizeRegistryHostandregistriesMatchadded to normalize and perform strict host matching.Fix PR: https://github.com/cdxgen/cdxgen/pull/3964
Researcher: Francesco SabiuResearcher: Francesco Sabiu
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-346", "CWE-522" ], "github_reviewed_at": "2026-05-08T20:06:00Z" }- References
Affected packages
npm / @cyclonedx/cdxgen
Package
- Name
- @cyclonedx/cdxgen
- View open source insights on deps.dev
- Purl
- pkg:npm/%40cyclonedx/cdxgen