SCA: security update for github.com/ossf/allstar (GHSA-33f4-mjch-7fpr)

high Tenable Cloud Security Plugin ID 435577

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in
Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared
secret. The value used for the secret token was compiled into the Allstar binary and could not be
configured at runtime. In practice, this meant that every deployment using Reviewbot would validate
requests with the same secret unless the operator modified source code and rebuilt the component - an
expectation that is not documented and is easy to miss. All Allstar releases prior to v4.5 that include
the Reviewbot code path are affected. Deployments on v4.5 and later are not affected. Those who have not
enabled or exposed the Reviewbot endpoint are not exposed to this issue. (CVE-2025-61926)

See Also

https://github.com/advisories/GHSA-33f4-mjch-7fpr

Plugin Details

Severity: High

ID: 435577

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 10/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-61926

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/10/2025

Vulnerability Publication Date: 10/9/2025

Reference Information

CVE: CVE-2025-61926

cwe: CWE-798