Allstar GitHub App Reviewbot Component Authentication Bypass Vulnerability

A vulnerability exists in the Allstar GitHub App's Reviewbot component, all versions prior to 4.5, allowing an authentication bypass via inbound webhook requests. These requests were validated against a hard-coded, shared secret token, which was embedded in the Allstar binary and could not be modified at runtime. Consequently, every deployment using Reviewbot validated requests with the same secret, unless the operator manually changed the source code and rebuilt the component—a undocumented and easily overlooked requirement. This vulnerability affects all Allstar releases before v4.5 that include the Reviewbot code path. However, deployments that have not enabled or exposed the Reviewbot endpoint are not impacted.

Impact

Exploitation of this vulnerability allows for authentication bypass on the Reviewbot webhook, enabling unauthorized actions such as posting automated comments or reviews, influencing checks, or manipulating repository signals. This primarily risks the integrity of repository workflows, with potential secondary effects like disruptive automation or misleading reviews.

Remediation

Users can upgrade to Allstar version 4.5 or later to address this vulnerability. For those who have not enabled or exposed the Reviewbot endpoint, no action is needed.