Full Report
Beego is a popular Object Relational Mapper (ORM) in Golang. Its filtering syntax is heavily based on Django ORM. Because of these similarities, techniques from the Django ORM article plORM worked on Golang as well. The main requirement was the ability to control the filterExpression fully. They decided to check out GitHub for vulnerable projects using SourceGraph. With a simple search, they ended up on Harbor. A user-controlled query parameter was being concatenated to the key of a filter with __icontains field. By using email as the input, it would return all email addresses. Additionally, it would be possible to filter based on internal sensitive fields like password and salt. The Harbor team tried patching this by limiting what fields could be put in the filter. The authors of this post noticed that if a__b was used, then b would be parsed by the ORM but the filtering engine would see a. The second patch tried to limit the amount of __ in the filter. This was bypassed by using the concatenation described above to only have a single __ in the input, but actually use two in the real filter. The authors claim that these issues are common in their client engagements and in bug bounty targets. Overall, a good post on an ORM leak issue that somewhat resembles NOSQL injection.
Analysis Summary
# Vulnerability: Beego ORM Leak & Bypasses in Harbor
## CVE Details
- **CVE ID:** CVE-2025-30086
- **CVSS Score:** N/A (Severity: High/Critical - Impact is similar to SQL/NoSQL injection in sensitivity)
- **CWE:** CWE-209 (Generation of Error Message Containing Sensitive Information), CWE-943 (Improper Neutralization of Special Elements in Query Filter Expression)
## Affected Systems
- **Products:** Harbor (Container Registry), Beego ORM
- **Versions:** Harbor versions prior to the patches released following the vulnerability report (specifically version v2.12.2 and earlier).
- **Configurations:** Systems utilizing the `setFilters` function to parse the `q` URL parameter for search and list operations.
## Vulnerability Description
The vulnerability is an **ORM Leak** occurring when user-controlled input is directly concatenated into a Beego ORM filter expression. The Beego ORM uses a Django-inspired syntax where double underscores (`__`) denote relational lookups or filter modifiers (e.g., `__icontains`).
Discovery and bypasses involved:
1. **Initial Flaw:** Users could control the filter key. By injecting external field names, an attacker could leak sensitive data (e.g., `email`, `password`, `salt`) through the response or side-channel oracles.
2. **Logic Bypass 1:** Harbor attempted to limit filterable fields. However, attackers used the syntax `a__b` where the Beego ORM would parse the relation `b`, but the Harbor security check only validated the prefix `a`.
3. **Logic Bypass 2:** Harbor restricted the number of underscores. This was bypassed by a "concatenation" technique where the input appeared to have only one `__` but resulted in a valid nested ORM query upon processing.
## Exploitation
- **Status:** PoC available (Techniques derived from Django "plORMbing" research).
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Allows unauthorized extraction of sensitive database fields including passwords hashes and salts).
- **Integrity:** None
- **Availability:** Low (Potential for ReDoS-style error-based attacks depending on the database backend).
## Remediation
### Patches
- Users should upgrade to the latest version of Harbor (consult the Harbor GitHub repository for the specific security release associated with CVE-2025-30086).
- If developing with **Beego ORM**, avoid passing raw user input into the key parameter of the `.Filter()` function.
### Workarounds
- Implement strict allow-listing of permitted query parameters at the API Gateway or WAF level.
- Ensure that the ORM-level user has minimum viable permissions (Least Privilege) to prevent access to internal system tables.
## Detection
- **Indicators of compromise:** Unusual URL parameters containing multiple double-underscores (`__`) or references to sensitive fields (`salt`, `password`, `secret`) in the `q=` query string.
- **Detection methods and tools:**
- **Semgrep:** The authors have released specific rules to detect dangerous Beego, Django, and Prisma patterns at `https://github[.]com/elttam/semgrep-rules`.
- **Plormber:** A tool for exploiting/testing time-based ORM leaks available at `https://github[.]com/elttam/plormber`.
## References
- elttam Research Blog: `https://www[.]elttam[.]com/blog/leaking-more-than-you-joined-for/`
- Harbor Project: `https://github[.]com/goharbor/harbor`
- Beego ORM Documentation: `https://github[.]com/beego/beego`