Researchers at The Hacker News discovered a vulnerability in GitHub's "Verified" commit feature that allows users to create new commits with existing signatures [1].
This flaw undermines the trust model of software development by allowing unauthorized changes to appear as if they were signed by a trusted contributor. Because many organizations rely on verified commits to prevent malicious code from entering their repositories, this vulnerability could facilitate supply chain attacks.
The issue stems from a flawed assumption regarding the uniqueness of Git hashes [1]. In a standard Git environment, a signature is tied to a specific commit. However, the researchers found that the "Verified" feature on GitHub can be exploited to produce new commits that maintain the same signature as a previously signed commit [1].
This means an attacker could potentially rewrite history or introduce new code while retaining the visual "Verified" badge that signals authenticity to other developers. The vulnerability essentially decouples the signature from the specific state of the code it was intended to validate [1].
Regarding the technical nature of the flaw, a researcher said, "The commit's hash does not" [1]. This refers to the discrepancy between how the signature is validated and how the commit hash is handled within the GitHub interface.
GitHub has not yet detailed a full patch for the issue, but the discovery highlights a critical gap in how the platform handles cryptographic verification. The ability to spoof a verified status allows for the creation of duplicate commits that appear legitimate despite being altered [1].
“GitHub's 'Verified' commit feature can be exploited to create new commits with the same signature.”
This vulnerability indicates that the 'Verified' badge on GitHub is a visual indicator of a signature's existence rather than a guarantee of the current commit's integrity. For developers and security teams, it means that relying solely on the GitHub UI to verify the authenticity of code is insufficient; independent local verification of Git signatures is necessary to ensure that code has not been rewritten or manipulated after the signature was applied.



