MEDIUM 4.7
GHSA-63wh-p5fx-h4vc
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
Details
### Summary
Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver.
### Impact
A user who has placed their github.com API key in the configuration for any of the following modules:
* `github_codesearch` * `github_workflows` * `gitlab` * `git_clone` * `github_usersearch` * `github_org`
may leak it to an untrustworthy server.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-63wh-p5fx-h4vc [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-10281 [ADVISORY]
- https://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140 [WEB]
- https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper [WEB]
- https://github.com/blacklanternsecurity/bbot [PACKAGE]