N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-61926

GHSA ID

GHSA-33f4-mjch-7fpr

EPSS Score

0.12146%

CWE

CWE-798

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61926

CVE-2025-61926: Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret

A vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret:

https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59

The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. While Reviewbot is not commonly enabled in standard Allstar setups, we are issuing this advisory to reach any environments where it may have been deployed.

Affected Versions

All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. If you have not enabled or exposed the Reviewbot endpoint, this issue does not apply to your installation.

Impact

If the Reviewbot endpoint is deployed and reachable, an attacker can bypass authentication by crafting webhook requests that use the known, hard-coded secret. Because signature verification will succeed, Reviewbot would treat these requests as authentic when they should be rejected. Depending on the permissions and automations attached to your deployment, this could allow unauthorized triggering of review actions such as posting automated comments or reviews, influencing checks, or otherwise manipulating repository signals. The primary risk is to the integrity of repository workflows rather than confidentiality or availability, although secondary effects (e.g., noisy automation, misleading reviews, or workflow disruptions) are possible.

Exploitability

Exploiting this is straightforward and does not require an attacker to be authenticated. Anyone who can send requests to the Reviewbot webhook can reach the vulnerable code.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-61926

CVE-2025-61926:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-61926

GHSA ID

GHSA-33f4-mjch-7fpr

EPSS Score

0.12146%

CWE

CWE-798

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ossf/allstar	go	< 0.0.0-20250721181116-e004ecb540d6	0.0.0-20250721181116-e004ecb540d6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the reviewbot component of the Allstar application, which was entirely removed to mitigate the issue. The root cause is an authentication bypass due to a hard-coded secret token, "FooBar", used for validating GitHub webhook signatures. The function reviewbot.WebookHandler.HandleRoot in pkg/reviewbot/reviewbot.go is the direct location of the vulnerability, as it uses this hard-coded value when calling github.ValidatePayload. This flaw allows an attacker with knowledge of the public, hard-coded secret to craft a malicious webhook that the application will treat as authentic. Successful exploitation would lead to the execution of the reviewbot.runPRCheck function, which could allow an attacker to manipulate repository pull requests by triggering automated reviews or checks. The main.main function in cmd/reviewbot/main.go serves as the entry point for this vulnerable service, initiating the webhook listener via reviewbot.HandleWebhooks. Therefore, any of these functions appearing in a runtime profile would indicate that the vulnerable component is active and potentially being exploited.

Vulnerable functions

reviewbot.WebookHandler.HandleRoot

pkg/reviewbot/reviewbot.go

This function is the webhook handler that incorrectly validates the incoming payload using a hard-coded secret token 'FooBar'. This allows an attacker to bypass authentication and send malicious webhooks.

reviewbot.runPRCheck

pkg/reviewbot/checks.go

This function is called by the vulnerable 'HandleRoot' function after the flawed authentication. It performs the pull request checks and is the primary target for an attacker to trigger unauthorized actions. Its presence in a runtime profile would be a strong indicator of exploitation.

main.main

cmd/reviewbot/main.go

This is the main entry point for the Reviewbot service. It starts the service and calls 'reviewbot.HandleWebhooks', which sets up the vulnerable webhook listener. This function would be at the top of the call stack when the service is running.

reviewbot.HandleWebhooks

pkg/reviewbot/reviewbot.go

This function sets up the HTTP server and registers the vulnerable 'HandleRoot' method as the handler for the root path. It is a critical part of the execution flow that exposes the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-61926: Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret

Affected Versions

Impact

Exploitability

CVE-2025-61926:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-61926: Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret

Affected Versions

Impact

Exploitability

Technical Details

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI