CVE-2025-30086 is a vulnerability affecting CNCF Harbor versions 2.13.x prior to 2.13.1 and 2.12.x prior to 2.12.4. Harbor is a popular open-source container image registry that stores and serves container images, widely used in cloud-native environments. The vulnerability arises from an Object-Relational Mapping (ORM) leak in the /api/v2.0/users endpoint. Specifically, the q URL parameter allows filtering users by any column, including the password field. An attacker with administrator privileges can exploit this flaw by crafting queries such as filter password=~ to extract password hashes and salt values character by character. This side-channel style information disclosure enables the attacker to reconstruct sensitive credential data stored in the Harbor database. Since all endpoints supporting the q parameter are vulnerable, the attack surface extends beyond just the users endpoint. The vulnerability requires administrative access to Harbor, which means the attacker must already have elevated privileges within the system. However, once exploited, it can lead to the compromise of user credentials, potentially enabling lateral movement or privilege escalation within the container registry environment. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The flaw was reserved in March 2025 and published in July 2025, indicating recent discovery and disclosure. No official patches or mitigations are linked in the provided data, but the fixed versions are 2.13.1 and 2.12.4, implying that upgrading to these or later versions will remediate the issue.

For European organizations, this vulnerability poses a significant risk to container image security and overall cloud-native infrastructure integrity. Harbor is widely adopted in Europe due to the region's strong emphasis on cloud-native technologies and container orchestration platforms like Kubernetes. An attacker exploiting this vulnerability can obtain password hashes and salts of Harbor users, potentially cracking them offline to gain unauthorized access. This can lead to unauthorized image uploads, downloads, or deletions, disrupting CI/CD pipelines, software supply chains, and production environments. The exposure of credential data also increases the risk of lateral movement within corporate networks, potentially affecting other critical systems. Given the GDPR and other stringent data protection regulations in Europe, any compromise involving user credentials and sensitive infrastructure data can result in severe compliance violations, financial penalties, and reputational damage. The requirement for administrator access limits the threat to insiders or attackers who have already breached perimeter defenses, but the severity remains high due to the sensitive nature of the leaked information and the critical role Harbor plays in container security.

European organizations should immediately upgrade affected Harbor instances to versions 2.13.1 or 2.12.4 or later, where this vulnerability is patched. Until upgrades can be performed, organizations should restrict administrator access to Harbor to a minimal set of trusted personnel and enforce strong multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitoring and auditing Harbor API usage, especially queries involving the q parameter, can help detect suspicious activity indicative of exploitation attempts. Network segmentation should be applied to isolate Harbor instances from less trusted network zones. Additionally, organizations should rotate Harbor user credentials and any associated secrets after patching to mitigate potential credential exposure. Implementing strict role-based access control (RBAC) policies within Harbor can limit the number of users with administrator privileges, reducing the attack surface. Finally, organizations should keep abreast of official Harbor security advisories and apply patches promptly to address any future related vulnerabilities.