136 matches found
AstrBot 代码问题漏洞
AstrBot is an open-source multi-platform LLM chatbot and development framework developed by AstrBot. Versions of AstrBot 4.22.1 and earlier contained code vulnerabilities. These vulnerabilities stemmed from improper handling of the postdata.get function in the API Endpoint component, which could...
AstrBot 命令注入漏洞
AstrBot is an open-source multi-platform LLM chatbot and development framework created by AstrBot. Versions of AstrBot 4.22.1 and earlier contained a command injection vulnerability. This vulnerability stemmed from the improper handling of the command parameter in the addmcpserver function within...
PT-2026-32151
A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be use...
Directory Traversal
AstrBot is vulnerable to Directory Traversal. The vulnerability is due to an arbitrary file read vulnerability in the encodeimagebs64 function, where attackers can construct malicious URLs to read any specified file, resulting in sensitive data leakage...
Exploit for CVE-2025-55449
CVE-2025-55449 - AstrBot Remote Code Execution RCE Vulnerabi...
EUVD-2025-197660
AstrBot is vulnerable to RCE with hard-coded JWT signing keys...
Use of Hard-coded Credentials
Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Use of Hard-coded Credentials for signature verification. An attacker can gain unauthorized access and execute arbitrary commands by bypassing authentication using a hard-coded JWT signing key and...
GHSA-4M32-CJV7-F425 AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...
CVE-2025-57697
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimac...
CVE-2025-57698
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...
EUVD-2025-38261
AstrBot has an arbitrary file read vulnerability in function encodeimagebs64...
Directory Traversal
Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Directory Traversal via the encodeimagebs64 function. An attacker can access sensitive files by supplying a crafted file path in the request body. Details A Directory Traversal attack also known as pa...
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimac...
GHSA-VM2F-46XC-5JC3 AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimac...
GHSA-XRJ9-MW57-J34V AstrBot contains a directory traversal vulnerability
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...
CVE-2025-57697
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimac...
CVE-2025-57697
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimac...
CVE-2025-57698
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...
CVE-2025-57698
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...