{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-28T18:49:07.585Z", "datePublished": "2025-06-02T11:16:14.370Z", "dateUpdated": "2025-06-23T18:03:57.703Z"}, "containers": {"cna": {"title": "AstrBot Has Path Traversal Vulnerability in /api/chat/get_file", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p"}, {"name": "https://github.com/AstrBotDevs/AstrBot/issues/1675", "tags": ["x_refsource_MISC"], "url": "https://github.com/AstrBotDevs/AstrBot/issues/1675"}, {"name": "https://github.com/AstrBotDevs/AstrBot/pull/1676", "tags": ["x_refsource_MISC"], "url": "https://github.com/AstrBotDevs/AstrBot/pull/1676"}, {"name": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492", "tags": ["x_refsource_MISC"], "url": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492"}], "affected": [{"vendor": "AstrBotDevs", "product": "AstrBot", "versions": [{"version": ">= 3.4.4, < 3.5.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T11:16:14.370Z"}, "descriptions": [{"lang": "en", "value": "AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue."}], "source": {"advisory": "GHSA-cq37-g2qp-3c2p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-02T16:42:40.296383Z", "id": "CVE-2025-48957", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T16:43:02.525Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-06-23T18:03:57.703Z"}, "references": [{"url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-06-23T18:03:57.703Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-48957", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-02T16:42:40.296383Z"}}}], "references": [{"url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-02T16:42:55.958Z"}}], "cna": {"title": "AstrBot Has Path Traversal Vulnerability in /api/chat/get_file", "source": {"advisory": "GHSA-cq37-g2qp-3c2p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "AstrBotDevs", "product": "AstrBot", "versions": [{"status": "affected", "version": ">= 3.4.4, < 3.5.13"}]}], "references": [{"url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p", "name": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/AstrBotDevs/AstrBot/issues/1675", "name": "https://github.com/AstrBotDevs/AstrBot/issues/1675", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AstrBotDevs/AstrBot/pull/1676", "name": "https://github.com/AstrBotDevs/AstrBot/pull/1676", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492", "name": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-02T11:16:14.370Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48957", "state": "PUBLISHED", "dateUpdated": "2025-06-23T18:03:57.703Z", "dateReserved": "2025-05-28T18:49:07.585Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-02T11:16:14.370Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*", "matchCriteriaId": "583CC286-55F4-4658-8FFE-0E8FB52BAE09", "versionEndExcluding": "3.5.13", "versionStartIncluding": "3.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue."}, {"lang": "es", "value": "AstrBot es un chatbot de modelo de lenguaje de gran tama\u00f1o y un framework de desarrollo. Una vulnerabilidad de path traversal presente en las versiones 3.4.4 a 3.5.12 podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n, como claves de API para proveedores de LLM, contrase\u00f1as de cuentas y otros datos confidenciales. Esta vulnerabilidad se ha solucionado en la solicitud de incorporaci\u00f3n de cambios n.\u00ba 1676 y est\u00e1 incluida en la versi\u00f3n 3.5.13. Como workaround, los usuarios pueden editar el archivo `cmd_config.json` para desactivar la funci\u00f3n del panel. Sin embargo, se recomienda encarecidamente actualizar a la versi\u00f3n 3.5.13 o posterior para resolver este problema por completo."}], "id": "CVE-2025-48957", "lastModified": "2025-06-25T17:39:23.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-06-02T12:15:25.680", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492"}, {"source": "[email protected]", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/AstrBotDevs/AstrBot/issues/1675"}, {"source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/AstrBotDevs/AstrBot/pull/1676"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}

{}