Plattform
python
Komponente
astrbot
Behoben in
3.4.5
3.5.13
CVE-2025-48957 is a Path Traversal vulnerability discovered in AstrBot, a Python-based application. This flaw allows unauthorized access to sensitive files and directories, potentially exposing critical information. The vulnerability affects versions of AstrBot up to 3.5.9, and a patch is available in version 3.5.13. Successful exploitation requires a controlled environment to reproduce the vulnerability.
The primary impact of CVE-2025-48957 is information disclosure. An attacker can leverage the Path Traversal vulnerability to navigate outside the intended directory structure and access files they should not be able to view. This includes potentially exposing API keys used for Large Language Model (LLM) providers, account passwords, and other confidential data. Successful exploitation could lead to unauthorized access to services, data breaches, and compromise of user accounts. The ease of reproduction, as demonstrated by the provided steps, suggests a relatively low barrier to entry for attackers.
CVE-2025-48957 was publicly disclosed on 2025-06-04. A public proof-of-concept is provided in the vulnerability description, demonstrating the ease of exploitation. The vulnerability's simplicity and the availability of a PoC suggest a moderate risk of exploitation. Currently, there are no reports of active exploitation campaigns targeting this vulnerability, but its ease of reproduction warrants immediate attention.
Organizations deploying AstrBot, particularly those using it to interact with LLM providers or storing sensitive credentials within the application's configuration files, are at significant risk. Shared hosting environments where AstrBot is installed alongside other applications are also vulnerable, as a compromised AstrBot instance could potentially be used to access files belonging to other tenants.
• python / server:
# Check for AstrBot version
python -c "import astrbot; print(astrbot.__version__)"
# Monitor file access attempts in logs (if logging is enabled)
grep -i "path traversal" /var/log/syslog• generic web:
# Attempt to access sensitive files via path traversal
curl 'http://your-astrbot-server/../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48957 is to upgrade AstrBot to version 3.5.13 or later. If an immediate upgrade is not possible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While a direct WAF rule to prevent path traversal is difficult without understanding the application's intended file access patterns, restricting access to the AstrBot directory and its subdirectories through firewall rules can limit the potential attack surface. Regularly review and audit file permissions within the AstrBot installation directory to ensure only authorized users and processes have access. After upgrading, confirm the vulnerability is resolved by attempting to access files outside the intended directory structure and verifying that access is denied.
Actualice AstrBot a la versión 3.5.13 o posterior. Como alternativa temporal, edite el archivo `cmd_config.json` para deshabilitar la función del panel de control. Sin embargo, se recomienda encarecidamente actualizar a la versión v3.5.13 o posterior para resolver completamente este problema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48957 is a Path Traversal vulnerability in AstrBot versions up to 3.5.9, allowing attackers to access sensitive files and data.
You are affected if you are running AstrBot version 3.5.9 or earlier. Upgrade to 3.5.13 or later to mitigate the risk.
Upgrade AstrBot to version 3.5.13 or later. If immediate upgrade is not possible, restrict file access permissions for the AstrBot user.
While active exploitation is not confirmed, the vulnerability's ease of reproduction suggests a potential for exploitation.
Refer to the AstrBot GitHub repository and associated release notes for the official advisory and patch details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.