Listen to this Post
The vulnerability stems from inconsistent handling of glob pattern negations between the Golang and Python implementations of in-toto.
in-toto-python uses `!` to denote negation in character classes (e.g., [!a-z]), while in-toto-golang historically used `^` (e.g., [^a-z]).
Because the two implementations interpret the negation operator differently, a layout file written for one implementation may behave unexpectedly when verified by the other.
For example, a rule intended to exclude certain files (using !) in Python would be interpreted as a literal `^` in Golang, failing to exclude those files.
Conversely, a rule written with `^` for Golang would be seen as a literal `!` in Python, leading to incorrect inclusion/exclusion decisions.
This inconsistency can cause verification passes or failures that do not reflect the actual supply chain state, potentially allowing malicious artifacts to bypass checks.
The issue only manifests in mixed‑implementation pipelines where one tool creates the layout and another verifies it.
The flaw is classified as a CWE‑168 (Improper Handling of Inconsistent Special Elements).
The GitHub Security Advisory (GHSA‑pmwq‑pjrm‑6p5r) describes the problem and its impact.
The fix unifies both implementations to use `!` for negation, matching Python’s original behavior.
The improved version is available in in‑toto‑golang v0.11.0 (commit 36d782f).
No CVE identifier has been assigned to this advisory as of May 2026.
dailycve form:
Platform: in-toto Golang Python
Version: before v0.11.0
Vulnerability: Glob negation inconsistency
Severity: Moderate
date: 2026-05-08
Prediction: Patch v0.11.0
What Undercode Say:
Analytics showing bash commands and codes related to the blog .
Verify in-toto-golang version (should be >=0.11.0) go list -m github.com/in-toto/in-toto-golang
// Golang pattern using the old (vulnerable) ^ negation pattern := "[^0-9].txt" // matches any file whose name starts with anything except a digit
Python pattern using the correct ! negation pattern = "[!0-9].txt" same intended meaning, but different operator
Build and run a simple test to observe the inconsistency (pre‑patch) go test -run TestGlobNegation ./...
Exploit:
An attacker can craft a layout that relies on the different negation operators. When the layout is created with one implementation (e.g., Python using !) and verified with the other (e.g., Golang using ^), the intended exclusions are ignored. This allows the attacker to include files or artifacts that should have been excluded, potentially bypassing supply chain integrity rules.
Protection from this CVE:
- Upgrade in-toto-golang to v0.11.0 or later.
- Use a single implementation (either Python or Golang) across all stages of the pipeline – from layout creation to verification.
- Audit existing layouts for inconsistent negation operators and convert all patterns to use `!` exclusively.
Impact:
Successful exploitation can lead to verification bypass, where malicious artifacts are not properly excluded, undermining the integrity of the software supply chain. The vulnerability is of moderate severity (CVSS 4.1, AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
