CVE-2025-65957
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-11-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| core_bot | core_bot | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Core Bot, an open source Discord bot, where sensitive API keys (such as SUPABASE_API_KEY and TOKEN) that are normally loaded via environment variables can be inadvertently exposed. Specifically, in certain parts of the code related to error handling, summaries, and webhooks, configuration summaries may leak sensitive data by failing to properly redact it in summary embeds or logs. This exposure could allow unauthorized parties to access sensitive credentials.
How can this vulnerability impact me? :
The vulnerability can lead to the exposure of sensitive API keys, which could allow attackers to gain unauthorized access to services or data protected by those keys. This could result in data breaches, unauthorized actions within the bot's environment, or compromise of connected systems relying on those credentials.
What immediate steps should I take to mitigate this vulnerability?
Update the Core Bot to include the patch from commit dffe050 which fixes the issue of sensitive data leakage by properly redacting configuration summaries in error handling, summaries, and webhooks. Ensure that environment variables containing API keys (SUPABASE_API_KEY, TOKEN) are not exposed in logs or summary embeds.