CRITICAL 9.6

GHSA-h6m2-r6h9-4c44

BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE

Details

### Summary

bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE).

bbot's `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE).

### Impact

A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bbot

Introduced in: 0 Fixed in: 2.7.0

Fix pip install --upgrade 'bbot>=2.7.0'

References

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-h6m2-r6h9-4c44 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-10283 [ADVISORY]
https://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140 [WEB]
https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper [WEB]
https://github.com/blacklanternsecurity/bbot [PACKAGE]