Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Network vector because the trigger is a remote repository URL; AC:H because operator must scan an attacker-controlled repo with the specific module active; UI:R for required operator action; I:L because the write is bounded and indirect.
Primary rating from Vendor (BLSOPS).
CVSS VectorVendor: BLSOPS
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
BBOT's github_workflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODE_REPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.
AnalysisAI
Path traversal in BBOT's github_workflows module allows a crafted CODE_REPOSITORY URL to write a downloaded artifact outside the operator-configured output directory by bypassing a path-containment check that failed to resolve .. sequences. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the targeted BBOT installation actively scans a repository URL supplied or influenced by the attacker using the github_workflows module - the operator must initiate this scan (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 3.1 (Low) is consistent with the actual risk profile when all signals are examined together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a GitHub repository whose URL is crafted to embed `..` path components in a position that BBOT's github_workflows module incorporates into the artifact write path. When a security operator runs a BBOT scan that includes this repository URL with the github_workflows module active, BBOT downloads a workflow artifact and writes it to a path up to two directory levels above the configured output folder rather than within it. … |
| Remediation | The primary fix is to update BBOT to a version that incorporates commit c1c6ec05ff998e2fba55a14d1026f12563ccd82f, available at https://github.com/blacklanternsecurity/bbot/commit/c1c6ec05ff998e2fba55a14d1026f12563ccd82f; a specific tagged release version is not confirmed in the available data, so operators should verify the installed version includes this commit or install from HEAD after the commit date. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary file write in BBOT's postman_download module enables a remote attacker to write files outside the intended out
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastruct
Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM atta
Symlink-following path traversal in BBOT's github_workflows module (all versions prior to commit 16d9c42b6) allows a loc
Symlink extraction bypass in BBOT's unarchive module allows an attacker to plant an attacker-controlled symlink into the
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42296