x/vulndb: potential Go vuln in github.com/ossf/allstar: GHSA-33f4-mjch-7fpr

Advisory [GHSA-33f4-mjch-7fpr](https://github.com/advisories/GHSA-33f4-mjch-7fpr) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/ossf/allstar](https://pkg.go.dev/github.com/ossf/allstar) |

Description:
A vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret:

https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59

The value used for the secret token was compiled into the Allstar binary and could not be configured at runtime. In practice, this meant that every deployment using Reviewbot would validate requests with the same secret unless the operator modified source code and rebuilt the component - an expectation that is not documented and is easy to miss. While...

References:
- ADVISORY: https://github.com/advisories/GHSA-33f4-mjch-7fpr
- ADVISORY: https://github.com/ossf/allstar/security/advisories/GHSA-33f4-mjch-7fpr
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-61926
- FIX: https://github.com/ossf/allstar/commit/e004ecb540d63ca6f5b1689b41af6c0040a82c73
- FIX: https://github.com/ossf/allstar/pull/713
- WEB: https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/ossf/allstar
      versions:
        - fixed: 0.0.0-20250721181116-e004ecb540d6
summary: Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret in github.com/ossf/allstar
cves:
    - CVE-2025-61926
ghsas:
    - GHSA-33f4-mjch-7fpr
references:
    - advisory: https://github.com/advisories/GHSA-33f4-mjch-7fpr
    - advisory: https://github.com/ossf/allstar/security/advisories/GHSA-33f4-mjch-7fpr
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-61926
    - fix: https://github.com/ossf/allstar/commit/e004ecb540d63ca6f5b1689b41af6c0040a82c73
    - fix: https://github.com/ossf/allstar/pull/713
    - web: https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59
notes:
    - fix: 'github.com/ossf/allstar: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-33f4-mjch-7fpr
    created: 2025-10-10T23:01:14.155913644Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/ossf/allstar: GHSA-33f4-mjch-7fpr #4018

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/ossf/allstar: GHSA-33f4-mjch-7fpr #4018

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions