LOW 3.1

GHSA-3mp7-vp6j-2mxx

BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing

Details

The `docker_pull` module uses the `realm` parameter from a Docker registry's `WWW-Authenticate` response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication request to an arbitrary endpoint, potentially leaking authentication tokens.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bbot

Introduced in: 2.0.0 Fixed in: 2.8.5

Fix pip install --upgrade 'bbot>=2.8.5'

References

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-3mp7-vp6j-2mxx [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-12566 [ADVISORY]
https://github.com/blacklanternsecurity/bbot/commit/c2f4bc0f4 [WEB]
https://github.com/blacklanternsecurity/bbot [PACKAGE]