Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Watch a 41-minute conference talk from the 38th Chaos Communication Congress (38C3) exploring critical security vulnerabilities in Qodo Merge, an AI-powered tool for handling git pull requests. Discover how this increasingly popular open-source tool, despite its helpful features like pull request analysis and code improvement suggestions, contains serious security flaws that could lead to privilege escalation on Gitlab, unauthorized write access to Github repositories, and exposure of repository secrets. Learn about the widespread impact on major projects, including government repositories, automotive industry projects, and blockchain systems. Understand the technical details of how Qodo Merge operates, the specific exploitation methods, and essential remediation steps to protect repositories. The presentation also addresses the challenges faced when attempting to report these vulnerabilities and examines the current security posture of the project.
