CVE-2025-30086
📋 TL;DR
This vulnerability allows Harbor administrators to exploit an ORM leak in the /api/v2.0/users endpoint to extract users' password hashes and salts character by character. Attackers with admin access can abuse the q URL parameter filtering to leak sensitive authentication data stored in the Harbor database. All Harbor instances running vulnerable versions with administrator accounts are affected.
💻 Affected Systems
- CNCF Harbor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator extracts all user password hashes and salts, enabling offline brute-force attacks that could compromise all Harbor accounts and potentially lead to lateral movement within the environment.
Likely Case
Malicious or compromised administrator leaks password hashes for targeted users, potentially enabling account takeover of those specific users within Harbor.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrators who shouldn't have access to password hashes in the first place.
🎯 Exploit Status
Exploitation requires administrator credentials. The technique involves abusing the filter parameter with password=~ queries to extract hash characters incrementally.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.1 or 2.12.4
Vendor Advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-h27m-3qw8-3pw8
Restart Required: Yes
Instructions:
1. Backup Harbor configuration and database. 2. Stop Harbor services. 3. Update to Harbor 2.13.1 (for 2.13.x) or 2.12.4 (for 2.12.x). 4. Restart Harbor services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit the number of administrator accounts and implement strict access controls for admin privileges.
Network Segmentation
allRestrict access to Harbor API endpoints to only trusted networks and users.
🧯 If You Can't Patch
- Implement strict monitoring and alerting for unusual API queries to the /api/v2.0/users endpoint
- Rotate all user passwords after patching to mitigate any potential hash leaks
🔍 How to Verify
Check if Vulnerable:
Check Harbor version via web interface or by inspecting the Harbor container/image version. Vulnerable if version is 2.13.0 or earlier in 2.13.x branch, or 2.12.3 or earlier in 2.12.x branch.Check Version:
docker exec harbor-core cat /etc/harbor/harbor.yml | grep versionVerify Fix Applied:
Confirm Harbor version is 2.13.1 or higher (for 2.13.x) or 2.12.4 or higher (for 2.12.x). Test that password hash filtering via q parameter no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual API queries to /api/v2.0/users with filter parameters containing 'password' or pattern matching characters
- Multiple sequential requests to the same endpoint with incremental filter patterns
Network Indicators:
- HTTP requests with q parameter containing password-related filtering patterns
- Unusual volume of requests to user management endpoints from administrator accounts
SIEM Query:
source="harbor" AND (url_path="/api/v2.0/users" AND query_string="*password*" OR query_string="*~*")