CRITICAL 9.6

GHSA-fhw8-8v9p-7jp7

BBOT's various issues in unarchive.py can cause arbitrary file write and RCE

Details

### Summary

Various issues in bbot's `unarchive.py` allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can be used to achieve Remote Code Execution (RCE).

### Impact

A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bbot

Introduced in: 0 Fixed in: 2.7.0

Fix pip install --upgrade 'bbot>=2.7.0'

References

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-fhw8-8v9p-7jp7 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-10284 [ADVISORY]
https://github.com/blacklanternsecurity/bbot/commit/6325f2f4f8f6f4545703e4c9b8004e69f71bec82 [WEB]
https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper [WEB]
https://github.com/blacklanternsecurity/bbot [PACKAGE]