Full Report
Beego is a popular Object Relational Mapper (ORM) in Golang. Its filtering syntax is heavily based on Django ORM. Because of these similarities, techniques from the Django ORM article plORM worked on Golang as well. The main requirement was the ability to control the filterExpression fully. They decided to check out GitHub for vulnerable projects using SourceGraph. With a simple search, they ended up on Harbor. A user-controlled query parameter was being concatenated to the key of a filter with __icontains field. By using email as the input, it would return all email addresses. Additionally, it would be possible to filter based on internal sensitive fields like password and salt. The Harbor team tried patching this by limiting what fields could be put in the filter. The authors of this post noticed that if a__b was used, then b would be parsed by the ORM but the filtering engine would see a. The second patch tried to limit the amount of __ in the filter. This was bypassed by using the concatenation described above to only have a single __ in the input, but actually use two in the real filter. The authors claim that these issues are common in their client engagements and in bug bounty targets. Overall, a good post on an ORM leak issue that somewhat resembles NOSQL injection.
Analysis Summary
# Vulnerability: ORM Leak and Filter Bypass in Harbor via Beego ORM
## CVE Details
- **CVE ID:** CVE-2025-30086
- **CVSS Score:** Not yet fully rated (Estimated High)
- **CWE:** CWE-209 (Generation of Error Message Containing Sensitive Information) / CWE-943 (Improper Neutralization of Special Elements in Query Filter)
## Affected Systems
- **Products:** Harbor (Cloud Native Container Registry)
- **Versions:** Affected versions prior to the patches released in early 2025 (vulnerable up to v2.12.2 based on source links).
- **Configurations:** Systems using Beego ORM where user-controlled query parameters (specifically the `q` parameter) are passed to the `setFilters` function.
## Vulnerability Description
The vulnerability is an "ORM Leak" whereby an attacker can control the filter expression used in a database query. In Harbor, the `setFilters` function in `src/lib/orm/query.go` concatenated user-controlled keys with a `__icontains` suffix.
Because Beego ORM uses a Django-like syntax (using `__` to traverse relationships), an attacker can supply sensitive internal field names (e.g., `password`, `salt`) as the filter key. If the application returns any data based on this filter, the attacker can brute-force sensitive values character-by-character.
The Harbor team attempted two patches:
1. **Initial Patch:** Limited allowed fields. **Bypass:** An expression-parser bug where `a__b` was seen as `a` by the filter engine but parsed as a relationship traversal by the ORM.
2. **Second Patch:** Limited the number of underscores. **Bypass:** Concatenation logic allowed an attacker to input a single `__` which, when joined with the internal `__icontains`, resulted in a valid nested ORM expression.
## Exploitation
- **Status:** PoC available (Techniques documented by elttam; utilized in bug bounty and research engagements).
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote via web API).
## Impact
- **Confidentiality:** High. Attackers can leak sensitive user information, including email addresses, password hashes, and salts from the database.
- **Integrity:** None reported.
- **Availability:** Low (Potential for database denial of service via complex relational queries).
## Remediation
### Patches
- Users should update to the latest version of Harbor (refer to the Harbor GitHub repository for the most recent security releases addressing CVE-2025-30086).
### Workarounds
- Implement strict allow-lists for query parameters at the WAF or API Gateway level.
- Ensure the application layer validates that no `__` (double underscores) are present in user-supplied filter keys before they reach the ORM logic.
## Detection
- **Indicators of Compromise:** Unusual query parameters in web logs containing double underscores (`__`) or references to sensitive database columns (e.g., `salt`, `password`, `secret`).
- **Detection Methods:**
- Use **Semgrep** with the rules provided by elttam to identify dangerous ORM sinks.
- Monitor for high-frequency requests to "List" API endpoints with varying single-character changes in query filters (indicative of brute-force leaking).
## References
- elttam Research: [https://www.elttam.com/blog/leaking-more-than-you-joined-for/](https://www.elttam.com/blog/leaking-more-than-you-joined-for/)
- Beego ORM: [https://github.com/beego/beego](https://github.com/beego/beego)
- Harbor Repository: [https://github.com/goharbor/harbor](https://github.com/goharbor/harbor)
- Semgrep Rules: [https://github.com/elttam/semgrep-rules](https://github.com/elttam/semgrep-rules)