CVE-2025-10283
CRITICAL9.6EPSS 0.07%BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
Published: 10/9/2025Modified: 10/9/2025
Description
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE). ### Impact A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.
Affected packages (1)
- PyPI/bbotfrom 0, < 2.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-10283
- PATCHhttps://github.com/blacklanternsecurity/bbot
- WEBhttps://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
- WEBhttps://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140
- WEBhttps://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-h6m2-r6h9-4c44