You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 18, 2026. It is now read-only.
This placeholder value defeats integrity verification entirely. If the download URL for the v0.1.0 binary were compromised (CDN hijack, DNS poisoning, or GitHub release tampering), any substitute binary would pass the checksum validation, enabling artifact substitution attacks.
Affected Files
File
Lines
registry.json
29–32
Recommended Fix
Replace the all-zeros checksum with the actual SHA256 hash of the released binary
If v0.1.0 is no longer the active version, remove the stale entry entirely
Add CI validation to ensure no registry entry ships with a placeholder checksum
References
OWASP Top 10: A08:2021 — Software and Data Integrity Failures
Vulnerability: Placeholder SHA256 Checksum in Extension Registry
CWE: CWE-345 — Insufficient Verification of Data Authenticity
Severity: High
Description
The registry.json file contains an all-zeros SHA256 checksum for the v0.1.0 windows/amd64 artifact:
This placeholder value defeats integrity verification entirely. If the download URL for the v0.1.0 binary were compromised (CDN hijack, DNS poisoning, or GitHub release tampering), any substitute binary would pass the checksum validation, enabling artifact substitution attacks.
Affected Files
Recommended Fix
References