The issue is a trust boundary failure in the registry authentication flow:
the client accepts the WWW-Authenticate realm provided by a registry without
validating origin, which allows signed authentication material to be sent to
an attacker-controlled endpoint during a normal model pull.
No exploit chain or malware is involved. The client generates and forwards
the token itself based on untrusted input.
The original disclosure credits FuzzingLabs. I focused on reproducing the
issue on current builds and validating the impact.
The issue is a trust boundary failure in the registry authentication flow: the client accepts the WWW-Authenticate realm provided by a registry without validating origin, which allows signed authentication material to be sent to an attacker-controlled endpoint during a normal model pull.
No exploit chain or malware is involved. The client generates and forwards the token itself based on untrusted input.
The original disclosure credits FuzzingLabs. I focused on reproducing the issue on current builds and validating the impact.
[dead]