Hello,
This is a public disclosure of a security issue identified in GitGuardian's
GGShield CLI tool: an SSL/TLS certificate verification bypass triggered
through
the `--allow-self-signed` flag and related configuration.
Although this issue did not receive a CVE assignment, it was escalated
through
proper coordinated disclosure channels, including CERT/CC. Vendor has since
implemented mitigations in GGShield v1.44.1.
---
Summary
-------
Product: GGShield (GitGuardian secrets scanning CLI)
Affected Versions: ≤ v1.43.0
Type: SSL/TLS Verification Disablement (CWE-295)
Impact: Man-in-the-middle risk on all API communications
Disclosure Status: Public, vendor updated behavior in v1.44.1
---
Technical Details
-----------------
GGShield provides an option called `--allow-self-signed` which internally
disables *all* SSL/TLS certificate verification, not only self-signed
certificate checks.
Code:
def create_session(allow_self_signed: bool = False) -> Session:
session = Session()
if allow_self_signed:
urllib3.disable_warnings()
session.verify = False # All certificate validation disabled
return session
This effectively makes all GGShield API calls vulnerable to interception via
Man-in-the-Middle (MitM) attacks, leakage of scanned content, credential
theft,
and manipulation of scan results.
---
Attack Scenarios
----------------
1. Developer on untrusted WiFi using `--allow-self-signed`
2. CI/CD pipelines where troubleshooting instructions suggest bypassing SSL
3. Enterprise networks with transparent proxies abusing disabled validation
4. Internal threat actor with network access
---
Vendor Response & Mitigations
-----------------------------
In GGShield v1.44.1, GitGuardian introduced several improvements:
- Added a new `--insecure` flag to clearly indicate total SSL bypass
- Added prominent warnings when SSL verification is disabled
- Deprecated the misleading `--allow-self-signed` flag
- Recommended using system certificate trust stores instead
These changes mitigate user confusion and reduce accidental insecure usage.
---
Timeline
--------
2025-09-20 – Initial report to vendor
2025-10-13 – Vendor responds, considers behavior “intentional”
2025-10-20 – Vendor declines changes at that time
2025-11-13 – CERT/CC advises researcher to proceed with public disclosure
2025-11-16 – Vendor releases v1.44.1 with mitigations (1week)
2025-11-17 – Public disclosure
---
Author
------
Tanish Saxena
Independent Security Researcher
This disclosure is provided in good faith for user protection and awareness.
Regards,
Tanish
