CVE-2025-61926
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-61926, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-09

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description

Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-09
Last Modified
2025-10-16
Generated
2026-07-06
AI Q&A
2025-10-10
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ossf allstar *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
CWE-453 The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Allstar GitHub App's Reviewbot component in versions prior to 4.5. The issue is that inbound webhook requests are validated using a hard-coded, shared secret token compiled into the binary, which cannot be changed at runtime. As a result, all deployments using Reviewbot validate requests with the same secret unless the operator modifies the source code and rebuilds the component. This creates a risk because the secret is not unique per deployment and is not documented, making it easy to miss and potentially allowing unauthorized requests to be accepted.

Impact Analysis

This vulnerability can impact you by allowing unauthorized parties to send webhook requests that appear valid to the Reviewbot component, since the secret token used for validation is shared and hard-coded. This could lead to unauthorized actions or bypassing security policies enforced by Allstar, potentially compromising the security of your GitHub repositories or workflows that rely on this app.

Mitigation Strategies

To mitigate this vulnerability, upgrade Allstar to version 4.5 or later, as these versions do not include the vulnerable Reviewbot code path. Additionally, if you have not enabled or exposed the Reviewbot endpoint, you are not exposed to this issue. If you are using a version prior to 4.5, consider disabling or restricting access to the Reviewbot endpoint until you can upgrade.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61926. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart