CVE-2022-21669 CRITICAL

CVE-2022-21669: Bot token exposed in main.py

Vendor Puddingbot
Product pudding-bot
Weakness CWE-798 · Hardcoded credentials
Published January 11, 2022
Last update April 23, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the maintainers are planning to update code to reflect this change at a later date.

Key dates

02Disclosure timeline

January 11, 2022 CVE published
April 23, 2025 Record updated