GHSA-6C87-G9PW-78FX

GHSA-6C87-G9PW-78FX is a low-severity security vulnerability in github.com/edgelesssys/contrast (go), affecting versions <= 1.20.0. It is fixed in 1.21.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries

Config.registryFor selected a per-registry credential / CA / mirror block by checking strings.HasSuffix(name, fqdn) after stripping a single trailing dot. 
The match has no boundary between the configured FQDN and any preceding characters in the request hostname.
A registry configured as [registries."ghcr.io."] is therefore also applied to any image pulled from a host whose name happens to end in the literal byte sequence ghcr.io
including attacker-registered domains such as evilghcr.io. 
The imagepuller would then send the configured Authorization header (basic auth, registry token, or identity token), trust the configured custom CA bundle,
follow the configured mirror, or honour insecure-skip-verify, on requests to that hostname.

Prerequisites

For this to be applicable, an image or layer must be pulled from a "sibling" domain ending in one of the FQDNs configured in the imagepuller config.
This may occur due to malicious intent or coincidentally.

Not impacted

Image integrity is not impacted. Image bytes remain pinned by digest in the policy and are validated after the pull.
This advisory does not allow code substitution.

Workaround

  • If possible, configure explicit subdomains in the imagepuller config. A configuration for [registries.".example.registry"] is unaffected, only [registries."example.registry"] is potentially affected.
  • Audit images and layers configured in the deployment for the existence of sibling domains.

Severity

  • AV:N because the leak is over the network to a registry under the attacker's control. 
  • AC:H because exploitation requires the operator to have configured a registry FQDN without a leading . AND the attacker to control a sibling-suffix domain that the deployment will pull from.
  • PR:N for the eventual recipient. 
  • S:U because impact stays in the imagepuller. 
  • C:L for credential leak (no integrity / availability impact).

Impact

  • Authentication header leaks to the sibling registry.
  • If insecure-skip-verify is set on an FQDN, TLS will also not be verified for the sibling registry.
  • Mirrors configured for an FQDN will also be used with the sibling registry.

GHSA-6C87-G9PW-78FX has a CVSS score of 3.7 (Low). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.21.0); upgrading removes the vulnerable code path.

Affected versions

github.com/edgelesssys/contrast (<= 1.20.0)

Security releases

github.com/edgelesssys/contrast → 1.21.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

After this patch, registry matches are determined by exact label equality instead of suffix matching.
Each .-separated part of the FQDN must be an exact match with the corresponding label in the image reference.

Frequently Asked Questions

  1. What is GHSA-6C87-G9PW-78FX? GHSA-6C87-G9PW-78FX is a low-severity security vulnerability in github.com/edgelesssys/contrast (go), affecting versions <= 1.20.0. It is fixed in 1.21.0.
  2. How severe is GHSA-6C87-G9PW-78FX? GHSA-6C87-G9PW-78FX has a CVSS score of 3.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/edgelesssys/contrast are affected by GHSA-6C87-G9PW-78FX? github.com/edgelesssys/contrast (go) versions <= 1.20.0 is affected.
  4. Is there a fix for GHSA-6C87-G9PW-78FX? Yes. GHSA-6C87-G9PW-78FX is fixed in 1.21.0. Upgrade to this version or later.
  5. Is GHSA-6C87-G9PW-78FX exploitable, and should I be worried? Whether GHSA-6C87-G9PW-78FX is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-6C87-G9PW-78FX is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-6C87-G9PW-78FX? Upgrade github.com/edgelesssys/contrast to 1.21.0 or later.

Other vulnerabilities in github.com/edgelesssys/contrast

Stop the waste.
Protect your environment with Kodem.