CVE-2025-10284: BBOT's various issues in unarchive.py can cause arbitrary file write and RCE
Various issues in bbot’s unarchive.py allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can be used to achieve Remote Code Execution (RCE).
References
- blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper
- github.com/advisories/GHSA-fhw8-8v9p-7jp7
- github.com/blacklanternsecurity/bbot
- github.com/blacklanternsecurity/bbot/commit/6325f2f4f8f6f4545703e4c9b8004e69f71bec82
- github.com/blacklanternsecurity/bbot/security/advisories/GHSA-fhw8-8v9p-7jp7
- nvd.nist.gov/vuln/detail/CVE-2025-10284
Code Behaviors & Features
Detect and mitigate CVE-2025-10284 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →