CVE-2025-48957
HIGH EPSS 45.1%
Published Jun 2, 20251y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Jun 2, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
45.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-22 Path Traversal Resource Mgmt
CWE-23
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| astrbot | astrbot | * | ≥3.4.4 – <3.5.13 |
References 6
- github.com https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
- github.com https://github.com/AstrBotDevs/AstrBot/issues/1675
- github.com https://github.com/AstrBotDevs/AstrBot/pull/1676
- github.com https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p
- vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard
- vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard
Remediation
- github.com https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
- github.com https://github.com/AstrBotDevs/AstrBot/pull/1676