CVE-2025-10283 — BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE

Description

### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE). ### Impact A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.

How to fix CVE-2025-10283

To remediate CVE-2025-10283, upgrade the affected package to a fixed version below.

—upgrade to 2.7.0 or later

Is CVE-2025-10283 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-10283
PATCHgithub.com/blacklanternsecurity/bbot
WEBblog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
WEBgithub.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140