Miggo Logo

CVE-2025-10282: BBOT's gitlab.py exposes globally configured "gitlab" API key

4.7

CVSS Score
3.1

Basic Information

EPSS Score
0.07404%
Published
10/27/2025
Updated
10/27/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
bbotpip< 2.7.02.7.2
bbotpip>= 2.7.0.6919rc0, < 2.7.22.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in bbot's gitlab.py module, which improperly handled API key authentication for different GitLab instances. The module used a single mechanism to communicate with both gitlab.com and on-premise GitLab servers. This created a scenario where a globally configured gitlab.com API key could be leaked to an attacker-controlled on-premise GitLab instance during a scan. The root cause is the lack of domain validation before sending the sensitive API key. The fix involved separating the module into two distinct modules, one for gitlab.com and one for on-premise instances, to ensure that the gitlab.com API key is only sent to gitlab.com.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry **ot's `*itl**.py` s*n*s t** us*r's "*itl**" *PI k*y to on-pr*mis* *itL** inst*n**s. I* * us*r **s *on*i*ur** * *itl**.*om *PI k*y usin* t*is m****nism, it m*y ** l**k** to *n *tt**k*r-*ontroll** s*rv*r. ### Imp**t * us*r wit* * "*itl

Reasoning

T** vuln*r**ility li*s in **ot's `*itl**.py` mo*ul*, w*i** improp*rly **n*l** *PI k*y *ut**nti**tion *or *i***r*nt *itL** inst*n**s. T** mo*ul* us** * sin*l* m****nism to *ommuni**t* wit* *ot* *itl**.*om *n* on-pr*mis* *itL** s*rv*rs. T*is *r**t** *