CVE-2025-48957

HIGH EPSS 45.1%
Published Jun 2, 20251y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Jun 2, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
45.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-23

Affected Products 1

VendorProductVersionRange
astrbotastrbot*≥3.4.4  –  <3.5.13

References 6

  • github.com https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
    Patch
  • github.com https://github.com/AstrBotDevs/AstrBot/issues/1675
    ExploitIssue Tracking
  • github.com https://github.com/AstrBotDevs/AstrBot/pull/1676
    ExploitIssue TrackingPatch
  • github.com https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p
    ExploitVendor Advisory
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard
    ExploitThird Party Advisory
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard
    MitigationThird Party Advisory

Remediation

  • github.com https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
    Patch
  • github.com https://github.com/AstrBotDevs/AstrBot/pull/1676
    ExploitIssue TrackingPatch