GHSA-pmwq-pjrm-6p5r

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-168"
    ],
    "github_reviewed_at": "2026-05-08T22:24:19Z"
}

References

Affected packages

Go / github.com/in-toto/in-toto-golang

Package

Name: github.com/in-toto/in-toto-golang; View open source insights on deps.dev
Purl: pkg:golang/github.com/in-toto/in-toto-golang

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pmwq-pjrm-6p5r/GHSA-pmwq-pjrm-6p5r.json"