Full Report
The author of this post had found a vulnerability in GitHub previously. They decided to conduct a scan for Dependency Confusion issues on GitLab and GitHub. While looking at package.json, they didn't find anything. Their next step was to check Ruby dependencies on GitHub Enterprise, which is an open-source platform. They thought this was a good target because A) GitHub Enterprise isn't well-known to be open source, and B) dependency confusion in Ruby is less well-known. They noticed over 100 packages that were unregistered externally! So, they created a Ruby Gem for all of these that exfiltrated data via DNS to prove impact. After waiting a bit, they had about 2K callbacks within a 24-hour window of submitting the vulnerability. This allowed them to execute code in several locations, including buildkitsandbox, vscode, and several others. After reporting the vulnerability, they were asked to take down the malicious gems to prevent further impact of the issue. The author claims that they had access to the domain, which was used for the build process and dev code workspaces. They were awarded $20K but though it was going to be more. To give them credit, they stopped executing further payloads and didn't try to pivot at all. Based on this, they believe the payout should have been higher than the minimum payout for a critical. GitHub is known to have a good bug bounty program so it's hard to say who is right/wrong here. A good write-up with sound guidance on the discovery process! I thoroughly enjoyed the blog post!
Analysis Summary
# Vulnerability: Dependency Confusion in GitHub Enterprise Targeting Ruby Gems
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text, but described as a **critical** finding resulting in Remote Code Execution (RCE).
- CWE: Likely related to CWE-178 (Improper Neutralization of Data within a Dependency Specification) or CWE-502 (Deserialization of Untrusted Data) depending on execution context, often categorized under Dependency Confusion.
## Affected Systems
- Products: GitHub Enterprise (leveraging its Ruby dependencies).
- Versions: Unspecified, but any version of GitHub Enterprise using the vulnerable dependency resolution mechanism for internal Ruby Gems.
- Configurations: Environments utilizing internal, unregistered Ruby dependencies (`Gemfile`/`Gemfile.lock`) that could be overridden by malicious packages published publicly to RubyGems.org.
## Vulnerability Description
The researcher exploited a Dependency Confusion vulnerability within GitHub Enterprise by targeting its Ruby dependencies. They identified 126 un-registered internal Ruby packages by scanning `Gemfile` and `Gemfile.lock` files within the open-source components of GitHub Enterprise. By publishing malicious Ruby Gems with the same names to RubyGems.org, the researcher caused the build/execution environments to prioritize the public, malicious gem over the internal one. The proof-of-concept payload allowed for data exfiltration via DNS requests and achieved code execution across several services, including `buildkitsandbox` and `vscode` workspaces.
## Exploitation
- Status: **PoC available** (The researcher successfully executed payloads; however, they stopped upon request from GitHub).
- Complexity: **Low** (Automated setup, rapid prototyping using AI assistance, and execution via standard dependency installation mechanisms).
- Attack Vector: Network (publishing the malicious package; execution likely occurs on the build/execution systems).
## Impact
- Confidentiality: **High** (Data exfiltration via DNS observed, indicating access to internal environment context).
- Integrity: **High** (Remote Code Execution achieved in multiple services).
- Availability: **Potentially High** (Widespread impact noted, affecting multiple internal platforms).
## Remediation
### Patches
- Patches were deployed by GitHub, resolving the issue reported (The resolution took 58 days). Specific patch versions are **not provided**.
### Workarounds
- The researcher was asked to **"neuter the malicious packages"**, suggesting removal/removal of malicious files from RubyGems.org.
- Researchers/Organizations must ensure private dependency registries are correctly configured to prevent resolution errors (e.g., using private gem servers or configuring gem sources correctly).
## Detection
- **Indicators of Compromise (IoCs):** High volume of outbound DNS requests originating from build systems or artifact creation environments to external, unexpected domains (especially for data exfiltration).
- **Detection Methods and Tools:** Monitoring build logs and network traffic for unexpected external network calls during dependency resolution or package installation phases. Verification that internal dependency sources correctly override public sources.
## References
- Vendor advisories: Not publicly disclosed via standard channels (HackerOne disclosure was suppressed).
- Relevant links - defanged:
- Researcher's previous bug blog: hxxps://furbreeze.github.io/2025/09/24/my-first-cve.html
- Dependency Confusion reference article: hxxps://medium.com/@[alex.birsan/dependency-confusion-4a5d60fec610
- GitHub Bounty Page mention of Critical Payout: hxxps://bounty.github.com/#:~:text=Our%20bounty%20program%20gives%20a%20tip%20of%20the%20hat%20to%20these%20researchers%20and%20provides%20rewards%20of%20%2430%2C000%20or%20more%20for%20critical%20vulnerabilities