The issue is a trust boundary failure in the registry authentication flow: the client accepts the WWW-Authenticate realm provided by a registry without validating origin, which allows signed authentication material to be sent to an attacker-controlled endpoint during a normal model pull.

No exploit chain or malware is involved. The client generates and forwards the token itself based on untrusted input.

The original disclosure credits FuzzingLabs. I focused on reproducing the issue on current builds and validating the impact.

[dead]