LOW 2.2

GHSA-rvp7-w75q-9fv2

BBOT: Symlink-Following Arbitrary Write via github_workflows Module

Details

The `github_workflows` module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / bbot

Introduced in: 2.0.0 Fixed in: 2.8.5

Fix pip install --upgrade 'bbot>=2.8.5'

References

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-rvp7-w75q-9fv2 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-12567 [ADVISORY]
https://github.com/blacklanternsecurity/bbot/commit/16d9c42b6 [WEB]
https://github.com/blacklanternsecurity/bbot [PACKAGE]