CVE-2025-10281
MEDIUM4.7EPSS 0.03%BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
發布日:2025/10/9修改日:2025/10/9
描述
### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver. ### Impact A user who has placed their github.com API key in the configuration for any of the following modules: * `github_codesearch` * `github_workflows` * `gitlab` * `git_clone` * `github_usersearch` * `github_org` may leak it to an untrustworthy server.
受影響套件(1)
- PyPI/bbotfrom 0, < 2.7.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-10281
- PATCHhttps://github.com/blacklanternsecurity/bbot
- WEBhttps://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
- WEBhttps://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140
- WEBhttps://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-63wh-p5fx-h4vc