GHSA-qhh4-458h-xwh2: @cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
When cdxgen scans or pulls container images through the Docker daemon API, it builds an X-Registry-Auth header from Docker credentials in DOCKER_CONFIG/config.json. The credential selection logic matches configured registry keys with substring checks:
if (forRegistry && !serverAddress.includes(forRegistry)) {
continue;
}
This is not an origin-safe registry comparison. For example, credentials configured for private-registry.example.com are selected for a requested image under registry.example.com, because:
"private-registry.example.com".includes("registry.example.com") === true
The selected credentials are then serialized into X-Registry-Auth for the Docker API pull request targeting the requested registry.
References
Code Behaviors & Features
Detect and mitigate GHSA-qhh4-458h-xwh2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →