2.6.2
2.7.0
CVE-2025-10284 describes a Remote Code Execution (RCE) vulnerability found in the unarchive.py script within bbot. This flaw allows a malicious website to manipulate bbot into writing arbitrary files to any location on a user's system. The vulnerability impacts versions of bbot up to and including 2.6.1.6915rc0. A fix is available in version 2.7.0.
The primary impact of CVE-2025-10284 is Remote Code Execution. An attacker controlling a malicious website can exploit this vulnerability by crafting a specific request that triggers the unarchive.py script to write files outside of its intended directory. This allows the attacker to execute arbitrary code on the user's system, effectively gaining control. The blast radius extends to any user who utilizes bbot to scan websites, particularly if they are unaware of the malicious nature of the target site. This vulnerability shares similarities with other file manipulation vulnerabilities where improper input validation leads to arbitrary file writes and subsequent code execution.
CVE-2025-10284 was publicly disclosed on 2025-10-09. The vulnerability's severity is considered CRITICAL due to the potential for Remote Code Execution. There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a likely target. It is not currently listed on the CISA KEV catalog.
Users who rely on bbot for website scanning, particularly those who frequently scan websites from untrusted sources, are at significant risk. Individuals using older, unpatched versions of bbot (≤2.6.1.6915rc0) are especially vulnerable. Those running bbot in automated environments or as part of a CI/CD pipeline are also at increased risk.
• python / supply-chain:
import os
import subprocess
# Check for bbot version
result = subprocess.run(['bbot', '--version'], capture_output=True, text=True)
version = result.stdout.strip()
if version.startswith('2.6.'): # Check for affected versions
print("BBot version is vulnerable to CVE-2025-10284")• linux / server:
# Check for suspicious file creation in /tmp or other writable directories
find /tmp -type f -mmin -60 -print• generic web:
Inspect HTTP requests to unarchive.py for unusual parameters or file extensions.
disclosure
漏洞利用状态
EPSS
0.20% (41% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-10284 is to upgrade bbot to version 2.7.0 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider temporarily disabling the unarchive.py script if it's not essential to your workflow. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to inspect requests to unarchive.py for suspicious patterns. Monitor system logs for unusual file creation activity, particularly in unexpected locations. After upgrading, confirm the fix by attempting to scan a known safe website and verifying that no unexpected files are created.
将 bbot 包升级到 2.6.1 之后的版本。这可以使用 Python 包管理器 pip 执行命令:`pip install --upgrade bbot`。这将安装包含安全修复程序的最新可用版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-10284 is a CRITICAL Remote Code Execution vulnerability in bbot's unarchive.py script, allowing malicious websites to execute code on a user's system.
You are affected if you are using bbot version 2.6.1.6915rc0 or earlier. Upgrade to version 2.7.0 to resolve the vulnerability.
Upgrade bbot to version 2.7.0 or later. If immediate upgrade is not possible, temporarily disable the unarchive.py script.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it may become a target.
Refer to the bbot project's official website or GitHub repository for the latest security advisories and updates.
上传你的 requirements.txt 文件,立即知道是否受影响。