CVE-2025-10281
MEDIUM4.7EPSS 0.03%BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
Published: 10/9/2025Modified: 10/9/2025
Description
### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver. ### Impact A user who has placed their github.com API key in the configuration for any of the following modules: * `github_codesearch` * `github_workflows` * `gitlab` * `git_clone` * `github_usersearch` * `github_org` may leak it to an untrustworthy server.
Affected packages (1)
- PyPI/bbotfrom 0, < 2.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-10281
- PATCHhttps://github.com/blacklanternsecurity/bbot
- WEBhttps://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
- WEBhttps://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140
- WEBhttps://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-63wh-p5fx-h4vc