What is GHSA-63wh-p5fx-h4vc?

GHSA-63wh-p5fx-h4vc is a security advisory published by GitHub Security Advisories with Medium severity. BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver

Which CVE IDs does GHSA-63wh-p5fx-h4vc cover?

GHSA-63wh-p5fx-h4vc covers the following CVE IDs: CVE-2025-10281. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-63wh-p5fx-h4vc?

GHSA-63wh-p5fx-h4vc has a CVSS v3 base score of 4.7, published by GitHub Security Advisories.

Which products are affected by GHSA-63wh-p5fx-h4vc?

GHSA-63wh-p5fx-h4vc affects 1 product, including: pip/bbot:\u003c 2.7.0.

GHSA-63wh-p5fx-h4vcMediumCVSS 4.7

BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver

Vendor

GitHub Security Advisories

Published

October 9, 2025

Last Modified

June 15, 2026

🔗 CVE IDs covered (1)

CVE-2025-10281 →

📋 Description

Summary

Due to unsafe URL handling, bbot's git_clone.py can be made to leak a user's github.com API key to an attacker-controlled webserver.

Impact

A user who has placed their github.com API key in the configuration for any of the following modules:

github_codesearch
github_workflows
gitlab
git_clone
github_usersearch
github_org

may leak it to an untrustworthy server.

🎯 Affected products1

pip/bbot:< 2.7.0

🔗 References (5)

https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-63wh-p5fx-h4vc
https://nvd.nist.gov/vuln/detail/CVE-2025-10281
https://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140
https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
https://github.com/advisories/GHSA-63wh-p5fx-h4vc