Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Research Reveals Vulnerability in GitHub ‘Verified’ Commits

Research Reveals Vulnerability in GitHub ‘Verified’ Commits

Posted on July 8, 2026 By CWS

Recent findings have uncovered a significant vulnerability in the way GitHub handles ‘Verified’ commits. A new study by Jacob Ginesin, a PhD candidate at Carnegie Mellon University, reveals that a signed Git commit’s hash is not as unique as many in the software industry once believed. This discovery shows that anyone, without the required signing key, can create a secondary commit with identical files, author details, and date, yet still carry a valid signature, allowing GitHub to mark it as ‘Verified.’

Understanding the Potential Risks

Despite everything appearing consistent to a reviewer, the commit’s hash differs, which is crucial because numerous systems consider a verified commit hash as a unique identifier for its contents. This discrepancy poses a threat since if a bad commit is blocked using its hash, an attacker can easily re-upload the same content with a new, ‘Verified’ hash that bypasses the blocklist. This vulnerability affects systems relying on deduplication, provenance logs, and reproducible-build records, as they all depend on the commit hash.

Moreover, compromised or malicious mirrors can distribute validly signed commits with different hashes from the original source. However, it’s important to note that this flaw does not provide a method to bypass signature checks with different code, as the files remain identical across all copies. There’s no need for developers to alter their repositories, as the issue lies in how a forge determines what constitutes ‘Verified,’ and the solution must be implemented on the forge’s side.

Technical Background and Implications

Ginesin’s research, published on arXiv, includes a public tool demonstrating the attack and two demo repositories showing that altered commits still receive ‘Verified’ status on GitHub. The issue, termed ‘hash chain malleability,’ arises because a commit’s hash is calculated over all its components, including the raw bytes of the signature in its header. Multiple valid signatures can be re-encoded into different forms, altering the hash without modifying the code itself.

Three methods illustrate the vulnerability across all GPG schemes recognized by GitHub, along with S/MIME. The first involves flipping the signature for ECDSA keys using elliptic-curve algebra. The second adds an extra field to the ‘unhashed’ section for RSA and EdDSA keys, which doesn’t affect the signature’s validity but changes the commit’s bytes and hash. Lastly, the third method modifies a length field in S/MIME keys, which is rejected by strict local checks but accepted by GitHub.

Proposed Solutions and Industry Response

To address this, Ginesin suggests forges should canonicalize signatures before trusting the hash. This approach mirrors Bitcoin’s solution to similar issues with ECDSA symmetry. The research highlights the importance of not solely relying on a commit’s hash as its unique identifier. Instead, systems should verify and canonicalize signatures before processing them.

Ginesin reported this vulnerability to key organizations like GNU, Git, and GitHub earlier this year. Despite this, no action has been taken by Git or any forge as of the research’s publication. The suggested changes are well understood and should start with the S/MIME case, where GitHub accepts commits that strict local checks reject. The research emphasizes the need for ongoing vigilance in software verification processes to maintain security and integrity.

The Hacker News Tags:code verification, commit hash, Cryptography, Cybersecurity, digital signatures, Git, GitHub, GPG, hash vulnerability, Open Source, S/MIME, Security, software development, software forges, verified commits

Post navigation

Previous Post: CISA Alerts on Adobe ColdFusion Security Flaw Exploitation
Next Post: Critical Dialogflow CX Flaw Exposed AI Conversations

Related Posts

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asia China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asia The Hacker News
AI Value in SOCs: What the Next Wave Must Offer AI Value in SOCs: What the Next Wave Must Offer The Hacker News
Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion The Hacker News
Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits The Hacker News
Unveiling Cyber Deception: Lessons from Art Forgery Unveiling Cyber Deception: Lessons from Art Forgery The Hacker News
TA558 Uses AI-Generated Scripts to Deploy Venom RAT in Brazil Hotel Attacks TA558 Uses AI-Generated Scripts to Deploy Venom RAT in Brazil Hotel Attacks The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Details Emerge for SharePoint RCE Vulnerability Exploit
  • Understanding Email Security Failures: Join Our Webinar
  • Verification Steps: The New ATO Challenge in 2026
  • Outdated PHP in WordPress Poses Cybersecurity Threat
  • Critical Dialogflow CX Flaw Exposed AI Conversations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Details Emerge for SharePoint RCE Vulnerability Exploit
  • Understanding Email Security Failures: Join Our Webinar
  • Verification Steps: The New ATO Challenge in 2026
  • Outdated PHP in WordPress Poses Cybersecurity Threat
  • Critical Dialogflow CX Flaw Exposed AI Conversations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark