GitHub App Vulnerability in Allstar Reviewbot Component
CVE-2025-61926

4.6MEDIUM

Key Information:

Vendor

Ossf

Status
Allstar
Vendor
CVE Published:
9 October 2025

What is CVE-2025-61926?

A security vulnerability in Allstar's Reviewbot component allows inbound webhook requests to be validated against a hard-coded, shared secret. This hard-coded secret token is embedded within the Allstar binary, making it impossible to change during runtime. Consequently, all deployments utilizing the Reviewbot are susceptible to this issue, as they share the same secret unless manually altered in the source code and rebuilt—a process that is neither documented nor intuitive, potentially leading to overlooked configurations. Users on version 4.5 and later are not impacted, and those without the Reviewbot endpoint enabled are also safe from this flaw.

Affected Version(s)

allstar < 0.0.0-20250721181116-e004ecb540d6

References

https://github.com/ossf/allstar/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/ossf/allstar/pull/713
x_refsource_MISC
https://github.com/ossf/allstar/commit/e004ecb540d63ca6f5...
x_refsource_MISC

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61926 : GitHub App Vulnerability in Allstar Reviewbot Component