Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cq37-g2qp-3c2p: AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Impact

This vulnerability may lead to:

  • Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.

Reproduce

Follow these steps to set up a test environment for reproducing the vulnerability:

  1. Install dependencies and clone the repository:

    pip install uv
git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot
uv run main.py

  2. Alternatively, deploy the program via pip:

    mkdir astrbot && cd astrbot
uvx astrbot init
uvx astrbot run

  3. In another terminal, run the following command to exploit the vulnerability:

    curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json

This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).

Patches

The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.

Workarounds

Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.

References

ghsa
Open in Source
#vulnerability#js#git

Impact

This vulnerability may lead to:

  • Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.

Reproduce

Follow these steps to set up a test environment for reproducing the vulnerability:

  1. Install dependencies and clone the repository:

    pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.py

  2. Alternatively, deploy the program via pip:

    mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot run

  3. In another terminal, run the following command to exploit the vulnerability:

    curl -L http://0.0.0.0:6185/api/chat/get_file?filename=…/…/…/data/cmd_config.json

This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).

Patches

The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.

Workarounds

Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.

References

  • Pull Request #1676
  • Issue #1675

References

  • GHSA-cq37-g2qp-3c2p
  • https://nvd.nist.gov/vuln/detail/CVE-2025-48957
  • AstrBotDevs/AstrBot#1675
  • AstrBotDevs/AstrBot#1676
  • AstrBotDevs/AstrBot@cceadf2

ghsa: Latest News

GHSA-3qhf-m339-9g5v: MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
ghsa