Platform
python
Component
bbot
Fixed in
2.6.2
2.7.0
CVE-2025-10283 describes a Remote Code Execution (RCE) vulnerability discovered in bbot, specifically within its gitdumper.py script. This vulnerability allows an attacker to execute arbitrary code on a user's system if the user utilizes bbot to scan a malicious webserver. The vulnerability affects versions of bbot up to and including 2.6.1.6915rc0, and a fix is available in version 2.7.0.
The impact of CVE-2025-10283 is severe. An attacker can craft a malicious .git/config or .git/index file and trick a user into having bbot scan a webserver hosting this file. Upon processing the malicious file, gitdumper.py fails to properly sanitize the input, leading to arbitrary file write capabilities. This file write can then be leveraged to execute arbitrary code on the user's system, effectively granting the attacker complete control. This is analogous to vulnerabilities where untrusted data is processed without proper validation, leading to code execution. The blast radius extends to any user utilizing bbot to scan potentially compromised webservers.
CVE-2025-10283 was publicly disclosed on 2025-10-09. Its severity is rated as CRITICAL (CVSS 9.6). There is currently no indication of active exploitation campaigns or KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a PoC is released.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10283 is to upgrade bbot to version 2.7.0 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider temporarily restricting bbot's access to external repositories or webservers. Carefully review the source code of any repositories scanned by bbot for suspicious modifications. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual file write activity or suspicious network traffic associated with bbot's execution. No specific Sigma or YARA rules are readily available, but monitoring file system changes within the bbot installation directory is recommended.
Update the bbot package to a version later than 2.6.1. This can be done using the pip package manager by running the command: `pip install --upgrade bbot`. Ensure that the update has been performed successfully.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10283 is a CRITICAL Remote Code Execution vulnerability in bbot's gitdumper.py script, allowing attackers to execute code on a user's system by exploiting insufficient sanitization of .git/config or .git/index files.
You are affected if you are using bbot version 2.6.1.6915rc0 or earlier. If you use bbot to scan external webservers, you are at higher risk.
Upgrade bbot to version 2.7.0 or later to resolve this vulnerability. If an upgrade is not immediately possible, restrict bbot's access to external repositories.
There is currently no confirmed evidence of active exploitation, but the vulnerability's severity suggests it is likely to be targeted once a public proof-of-concept is available.
Refer to the bbot project's official website or GitHub repository for the latest security advisories and updates related to CVE-2025-10283.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.