Code Injection Security Vulnerability Disclosure

Skip to first unread message

Indiana Moreau

Oct 28, 2020, 3:12:49 PM10/28/20
to go-gost

I would like to report a security vulnerability in one of your projects. This vulnerability results in remote code injection and can be exploited by anyone; it is called dependency repository hijacking. This vulnerability in your project was discovered as part of an analysis of all open source project for this vulnerability and due to the popularity of this project we are contacting you directly.
For more information regarding this vulnerability and the analysis that took place please see this article:

Risk: High
Affected Project: Ghost -
Affected Location in Code:
Hijackable Dependency:

Summary: Dependency repository hijacking (aka repo jacking) occurs when a piece of code links directly to a Github repository URL. If the owner of that Github repository changes their username or deletes their account, anyone can then reregister their old account name and take control of the linked repository. This can result in a malicious attacker injecting their own code in any project that depended on the Github URL.
For a more in-depth explanation of the issue, please see the article linked above.

Steps for Reproduction:
1. Go to the affect location in the code: Note: This may not be the only place where this repository is linked to and we recommend ensuring that this repository or Github username is not linked to from anywhere else in the code.
2. Follow the Github link reference by the code: Notice how the link redirects you to a repository under a different user, this is because the original user changed their username. If the link returns a 404 error, this means that the original user has deleted their account.
3. Go to, which is the user profile page of the original username. Notice how it returns a 404 error, meaning that this user is non-existent, therefore anyone can create an account with this username and hijack the repository to which your code links to.

To fix this issue, the best solution would be to not link directly to a Github URL, instead use a package manager to manage dependencies. Alternatively, changing the link to point to the new URL (the one that the old URL redirects you to) will also mitigate this issue for the time being, but if the user changes their username again it will once again be vulnerable to repo jacking.
For more remediation options, please see the article linked above.

Please note that as part of the disclosure for this vulnerability we are contacting many different projects directly, as such it is possible that this instance of the vulnerability is a false positive. Feel free to contact me if you have any further questions,

Indiana Moreau
Reply all
Reply to author
0 new messages