RCE due to a dependency confusion in openziti/ziti


Reported on

May 5th 2022


Hi team,

I hope you are well. I found a dependency confusion vulnerability in this repo.

When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/openziti/ziti/blob/271614d50df5535cf99ad0882649ae0ef7bb88a2/ziti/Makefile#L155

go get github.com/GoASTScanner/gas

I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.

Proof of Concept

1.) I forked https://github.com/securego/gosec

2.) I changed the repo name from gosec to gas

3.) I changed my username from akincibor to GoASTScanner

4.) I re-changed my username from GoASTScanner to `akincibor

Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.

Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.


As an attacker, I can host malicious content on my Github repository. I can also host an SDK or malware or a simple backdoor which can lead to an RCE because the malicious code will be installed and this is because my repo will be installed rather than the real one.

We are processing your report and will contact the openziti/ziti team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the openziti/ziti team and are waiting to hear back 2 years ago
We have sent a follow up to the openziti/ziti team. We will try again in 4 days. 2 years ago
openziti/ziti maintainer
2 years ago


Thank you for this report. It would appear to be a valid issue and has been addressed. This make file is no longer in use and has been removed. The change will make it to the main branch on the next release.

openziti/ziti maintainer modified the Severity from High to Low 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
openziti/ziti maintainer validated this vulnerability 2 years ago
akincibor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
openziti/ziti maintainer marked this as fixed in 0.25.6 with commit e57044 2 years ago
The fix bounty has been dropped
to join this conversation