GHSA-6c87-g9pw-78fxLowCVSS 3.7Disclosed before NVD

Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries

Published
July 1, 2026
Last Modified
July 1, 2026

📋 Description

Summary

Config.registryFor selected a per-registry credential / CA / mirror block by checking strings.HasSuffix(name, fqdn) after stripping a single trailing dot.  The match has no boundary between the configured FQDN and any preceding characters in the request hostname. A registry configured as [registries."ghcr.io."] is therefore also applied to any image pulled from a host whose name happens to end in the literal byte sequence ghcr.io,  including attacker-registered domains such as evilghcr.io.  The imagepuller would then send the configured Authorization header (basic auth, registry token, or identity token), trust the configured custom CA bundle, follow the configured mirror, or honour insecure-skip-verify, on requests to that hostname.

Prerequisites

For this to be applicable, an image or layer must be pulled from a "sibling" domain ending in one of the FQDNs configured in the imagepuller config. This may occur due to malicious intent or coincidentally.

Impact

  • Authentication header leaks to the sibling registry.
  • If insecure-skip-verify is set on an FQDN, TLS will also not be verified for the sibling registry.
  • Mirrors configured for an FQDN will also be used with the sibling registry.

Not impacted

Image integrity is not impacted. Image bytes remain pinned by digest in the policy and are validated after the pull. This advisory does not allow code substitution.

Workaround

  • If possible, configure explicit subdomains in the imagepuller config. A configuration for [registries.".example.registry"] is unaffected, only [registries."example.registry"] is potentially affected.
  • Audit images and layers configured in the deployment for the existence of sibling domains.

Patches

After this patch, registry matches are determined by exact label equality instead of suffix matching. Each .-separated part of the FQDN must be an exact match with the corresponding label in the image reference.

Severity

  • AV:N because the leak is over the network to a registry under the attacker's control. 
  • AC:H because exploitation requires the operator to have configured a registry FQDN without a leading . AND the attacker to control a sibling-suffix domain that the deployment will pull from.
  • PR:N for the eventual recipient. 
  • S:U because impact stays in the imagepuller. 
  • C:L for credential leak (no integrity / availability impact).

🎯 Affected products1

  • go/github.com/edgelesssys/contrast:<= 1.20.0

🔗 References (4)