CVE-2025-57697

AstrBot Project v3.5.22 contains an arbitrary file read vulnerability in the _encode_image_bs64 function (entities.py), where the function opens a user-provided image path and returns its content base64-encoded without validating the path. This path-traversal/unsafe file read leads to potential s...

PT-2025-45469

Name of the Vulnerable Software and Affected Versions AstrBot Project version 3.5.22 Description The software contains a directory traversal issue. The install plugin upload function within the '/plugin/install-upload' interface directly uses a filename from the request body, assigning it to the...

AstrBot 安全漏洞

AstrBot is a multi-platform LLM chatbot and development framework open-sourced by AstrBot. A security vulnerability exists in AstrBot version v3.5.22, which stems from the encodeimagebs64 function not verifying the legitimacy of an image path, which could lead to arbitrary file reads and data lea...

CVE-2025-57698

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...

CVE-2025-57698

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...

AstrBot 安全漏洞

AstrBot is a multi-platform LLM chatbot and development framework open-sourced by AstrBot. A security vulnerability exists in AstrBot version v3.5.22, which stems from an incorrect manipulation of the parameter filename in the file /plugin/install-upload, which could lead to a directory traversal...

EUVD-2025-16634

Malicious code in bioql PyPI...

Path Traversal

astrbot is vulnerable to a Path Traversal. The vulnerability is due to improper validation or sanitization of file path inputs, allowing attackers to access files outside the intended directories...

GHSA-CQ37-G2QP-3C2P AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Impact This vulnerability may lead to: Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. Reproduce Follow these steps to set up a test environment for reproducing the vulnerability: 1. Install dependencies and clone the repository: bash pip...

CVE-2025-48957

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in...

CVE-2025-48957

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in...

CVE-2025-48957

AstrBot has a documented path traversal vulnerability in versions 3.4.4–3.5.12 that can disclose sensitive data (e.g., LLM API keys and passwords) via the /api/chat/get_file endpoint. The issue is addressed in PR #1676 and included in v3.5.13. A temporary workaround is to disable the dashboard in...

CVE-2025-48957 AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in...

CVE-2025-48957 AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in...

AstrBot 安全漏洞

AstrBot is a multi-platform LLM chatbot and development framework open-sourced by AstrBot. A security vulnerability exists in AstrBot versions 3.4.4 through 3.5.12, which stems from a path traversal flaw that could lead to the disclosure of sensitive information...

PT-2025-23500 · Astrbot · Astrbot

Name of the Vulnerable Software and Affected Versions: AstrBot versions 3.4.4 through 3.5.12 Description: AstrBot is a large language model chatbot and development framework. A path traversal vulnerability may lead to information disclosure, such as API keys for LLM providers, account passwords,...