CVE-2025-10281 — BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled

Description

### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver. ### Impact A user who has placed their github.com API key in the configuration for any of the following modules: * `github_codesearch` * `github_workflows` * `gitlab` * `git_clone` * `github_usersearch` * `github_org` may leak it to an untrustworthy server.

How to fix CVE-2025-10281

To remediate CVE-2025-10281, upgrade the affected package to a fixed version below.

—upgrade to 2.7.0 or later

Is CVE-2025-10281 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-10281
PATCHgithub.com/blacklanternsecurity/bbot
WEBblog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
WEBgithub.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140