As a security company, we’re no strangers to software bugs. This blog consists mostly of new CVEs discovered by our operators on pentests, and of open source software we publish for the hacker community, like BBOT.

But as any software company learns sooner or later, software is meant to be broken, and after 10 years of breaking other people’s, the time has finally come to break ours.

We’re referring to four new BBOT CVEs discovered by Justin Steven, a researcher at Tanto Security. Two of these are critical severity, and introduce the possibility for a clever defender to get code execution on the attacker’s system during certain BBOT scans. Fixes have been pushed in BBOT 2.7.0.

Affected BBOT versions are < 2.7.0. If you’re still running these old versions, and if you’re scanning a target known for their spicy honeypots, you may be in danger. See below for details.

BBOT CVEs

CVE-2025-10281 - [4.7 MEDIUM] - Insecure URL Handling in git_clone leads to Leaked API Key

When executing a scan with a GitHub API key, the target exposes a specially crafted git repo link to steal your API key. It was resolved by fixing the URL validation to ensure GitHub API keys are sent only to github.com URLs.

CVE-2025-10282 - [4.7 MEDIUM] - GitLab Domain Confusion in gitlab Leaks API Key

When executing a scan with a GitLab API key, the target hosts a web server pretending to be an on-prem Gitlab server, which steals your API key. It was fixed by separating GitLab into two modules: one for on-prem, and one for GitLab.com.

CVE-2025-10283 - [9.6 CRITICAL] - Improper .git Sanitization in gitdumper Enables RCE

A target being scanned by BBOT hosts a malicious git repo on one of their webservers, which upon being downloaded and checked out by gitdumper, results in RCE on the scanner system. This was fixed by performing aggressive sanitization on the git folder (deleting the git index, config, and all hooks) before running `git checkout`.

CVE-2025-10284 - [9.6 CRITICAL] - Improper Archive Extraction in unarchive Enables RCE

The target hosts a collection of specially crafted compression archives, e.g. tar files, which upon subsequent extraction, could write arbitrary files, leading to RCE. This was due to the possibility of a directory name collision, leading to extraction to a non-empty folder. We fixed it by aborting extraction early if the destination folder already exists.

Disclosure

We are super grateful to Justin for catching these vulns, and especially for his gracious handling of the disclosure, which helped make what could have been a stressful situation as manageable as possible. Having plenty of notice and helpful feedback during the patching process enabled us to craft solid fixes and push them out in a timely manner.

Timeline:

• July 4th, 2025 - Initial disclosure

• July 4th, 2025 - Work begins on patches

• August 25th, 2025 - PoCs finalized

• August 25th, 2025 - Patches finalized

• September 11th, 2025 - Patches approved

• September 11th, 2025 - Patches merged into Dev

• September 11th, 2025 - Patches merged into Stable

• September 11th, 2025 - Patches published to Pypi

• October 8th, 2025 - Blog, CVE Release

Justin will be revealing more details, including PoC exploits, in his talk at Kawaiicon on November 8th.

Closing Notes

Despite catching us a bit off guard, these bugs honed our security process, and demonstrated the best aspects of open source. The gitdumper and unarchive modules responsible for the critical CVEs were contributed by the community. Similarly, their open code helped the community identify and report the CVEs. This kind of collaboration is exactly why we believe in open source and will continue to push forward for more (and more secure) open source tools!

Justin is a talented researcher and we’re excited to see his talk. The exploits themselves, particularly the ones for gitdumper and unarchive, are the product of significant effort on his part. As security researchers, we recognize this and have to admit, they are pretty cool!

Thanks again to Justin and the team at Tanto Security. We appreciate the tough love and all the effort put towards improving BBOT.

How to Update

Stay safe and patch your stuff! Use these commands to update BBOT:

pip install --upgrade bbot

pipx upgrade bbot

How to Report Vulns

If you discover a vuln in BBOT or another BLS tool, please report it via GitHub’s security advisory feature:

https://github.com/blacklanternsecurity/bbot/security

A CVE will earn you some cool BLS swag, including a challenge coin!

Happy hacking!