Vulnerability in Ossf Allstar
CVE-2025-61926
Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used fo…
EPSS: 0.001 (23.8th percentile) — read the EPSS interpretation.
Affected products
- Ossf Allstar — versions < 0.0.0-20250721181116-e004ecb540d6
Weakness classification (CWE)
References
- https://github.com/ossf/allstar/security/advisories/GHSA-33f4-mjch-7fpr (x_refsource_CONFIRM)
- https://github.com/ossf/allstar/pull/713 (x_refsource_MISC)
- https://github.com/ossf/allstar/commit/e004ecb540d63ca6f5b1689b41af6c0040a82c73 (x_refsource_MISC)
- https://github.com/ossf/allstar/blob/294ae985cc2facd0918e8d820e4196021aa0b914/pkg/reviewbot/reviewbot.go#L59 (x_refsource_MISC)