CVE-2025-61926
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not enabled or exposed the Reviewbot endpoint are not exposed to this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-16
Generated
2026-05-06
AI Q&A
2025-10-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ossf allstar *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
CWE-453 The product, by default, initializes an internal variable with an insecure or less secure value than is possible.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the Allstar GitHub App's Reviewbot component in versions prior to 4.5. The issue is that inbound webhook requests are validated using a hard-coded, shared secret token compiled into the binary, which cannot be changed at runtime. As a result, all deployments using Reviewbot validate requests with the same secret unless the operator modifies the source code and rebuilds the component. This creates a risk because the secret is not unique per deployment and is not documented, making it easy to miss and potentially allowing unauthorized requests to be accepted.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized parties to send webhook requests that appear valid to the Reviewbot component, since the secret token used for validation is shared and hard-coded. This could lead to unauthorized actions or bypassing security policies enforced by Allstar, potentially compromising the security of your GitHub repositories or workflows that rely on this app.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Allstar to version 4.5 or later, as these versions do not include the vulnerable Reviewbot code path. Additionally, if you have not enabled or exposed the Reviewbot endpoint, you are not exposed to this issue. If you are using a version prior to 4.5, consider disabling or restricting access to the Reviewbot endpoint until you can upgrade.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart