ballerina-platform/ballerina-lang used an insecure TrustManager for HTTPS connections making clients vulnerable a to machine-in-the-middle attack (MiTM) and remote code execution (RCE).



Tested Version

Commit 9a4d1967


The Ballerina programming language provides the bal tool for managing everything related to Ballerina. Dependency management is done using the bal pull/push/search commands that allow to download/upload packages from the central repository or search for a package.

I’m focusing on the bal pull command, the other sub-commands have the same problem and similar execution flow. The bal pull command is internally represented by the PullCommand class which will delegate the actual work to the CentralAPIClient#pullPackage method. The pullPackage method then calls the Utils#initializeSsl method which claims to “initializes SSL” but actually enables an insecure TrustManager (defined here).

An insecure TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.

After an attacker has forged such a certificate they can intercept and manipulate the requested package and include arbitrary code! Because the issue affects both downloading and uploading of packages this could also be used for a supply-chain attack.


Machine-in-the-middle attack. Remote code execution. Supply chain attack.



Github Advisories


Coordinated Disclosure Timeline

  • 2021-03-08: Sent a mail to
  • 2021-06-04: Issue is patched.
  • 2021-06-22: CVE id is shared with me.
  • 2021-06-22: Advisory is published.


This issue was discovered and reported by @intrigus-lgtm.


You can contact the ISL at Please include a reference to ISL-2021-001 in any communication regarding this issue.