Exploiting Dependabot: Bypassing GitHub's Merge Protection

Popular：

Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Exploiting Dependabot: Bypassing GitHub's Merge Protection

2025-06-06

Researchers have discovered a novel attack leveraging the "Confused Deputy" vulnerability in GitHub's Dependabot (and similar bots). Attackers can trick Dependabot into merging malicious code by crafting branch names, potentially bypassing branch protection rules and leading to command injection. Two previously unknown attack techniques were also disclosed, enhancing the effectiveness of this exploit. This highlights the need for developers to carefully manage automated tools and enhance code security audits.

(boostsecurity.io)

Development Dependabot vulnerability

Ex-Googler Exposes the Dark Side of the Tech Utopia

Unlocking the Cosmos: Mastering Astrophotography Post-Processing