GHSA-wc64-c5rv-32pf
MEDIUMin-toto vulnerable to Configuration Read From Local Directory
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
in-totoReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is .in_totorc which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an .in_totorc file that includes the necessary exclude patterns and settings.
RC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that in_totorc is not their preferred way to configure in-toto. As none of the options supported in in_totorc is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for in_totorc.
Other Recommendations
Sandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x.
References
[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html [2] https://spec.editorconfig.org/ [3] https://github.blog/2022-04-12-git-security-vulnerability-announced/
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | in-toto | all versions | 2.0.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for in-toto. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update in-toto to 2.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-wc64-c5rv-32pf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-wc64-c5rv-32pf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-wc64-c5rv-32pf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-wc64-c5rv-32pf in your dependencies?
O3 detects GHSA-wc64-c5rv-32pf across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.