The github_workflows module in Black Lantern Security’s BBOT tool builds local file paths from user‑controlled repository names without validating for symbolic links. When a local attacker shares the scan directory, they can plant a symlink at a predictable output path. As the module writes workflow data, the symlink redirects the write to an attacker‑chosen location, effectively granting the attacker arbitrary local file write capability. This is a classic Directory Traversal (CWE‑59) weakness that can bypass intended write restrictions and may allow overwriting or creating files owned by the BBOT process.

The affected product is Black Lantern Security’s BBOT. The vulnerability exists in the github_workflows module wherever it processes user‑provided repository names. No specific version range is listed in the CNA data, so all releases containing the unvalidated path handling code are potentially affected.

The CVSS score of 2.2 indicates very low severity, and the EPSS score of < 1% shows an extremely small probability of exploitation. The vulnerability is not listed in CISA KEV. The only attack surface is a local actor capable of creating a symlink within the BBOT scan directory. Because BBOT does not check that resolved paths remain inside the intended directory, a well‑placed symlink can redirect data to any location visible to the BBOT process, including system files. If BBOT runs with elevated privileges, this could lead to privilege escalation. The exploit requires only local file‑system access and the ability to create a symlink, making it straightforward for a local adversary and requiring no network or user interaction.