Platform
python
Component
astrbot
Fixed in
3.4.5
3.5.13
CVE-2025-48957 is a Path Traversal vulnerability discovered in AstrBot, a Python-based application. This flaw allows unauthorized access to sensitive files and directories, potentially exposing critical information. The vulnerability affects versions of AstrBot up to 3.5.9, and a patch is available in version 3.5.13. Successful exploitation requires a controlled environment to reproduce the vulnerability.
The primary impact of CVE-2025-48957 is information disclosure. An attacker can leverage the Path Traversal vulnerability to read arbitrary files on the system where AstrBot is running. This includes configuration files that may contain API keys for Large Language Model (LLM) providers, account passwords, and other sensitive data. The potential blast radius is significant, as compromised API keys could grant attackers access to external services and data, while stolen passwords could lead to account takeover. The ease of reproduction, as demonstrated by the provided steps, increases the likelihood of exploitation.
CVE-2025-48957 was publicly disclosed on 2025-06-04. A public proof-of-concept is available through the provided reproduction steps. The vulnerability's ease of exploitation and the potential for significant data disclosure suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48957 is to upgrade AstrBot to version 3.5.13 or later, which contains the fix. If upgrading immediately is not feasible, consider restricting file access permissions for the AstrBot user to minimize the potential impact of a successful attack. While a direct WAF rule is unlikely to be effective against Path Traversal, implementing strict input validation and sanitization within the AstrBot application itself can help prevent similar vulnerabilities in the future. There are no specific Sigma or YARA patterns available for this vulnerability at this time.
Actualice AstrBot a la versión 3.5.13 o posterior. Como alternativa temporal, edite el archivo `cmd_config.json` para deshabilitar la función del panel de control. Sin embargo, se recomienda encarecidamente actualizar a la versión v3.5.13 o posterior para resolver completamente este problema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48957 is a Path Traversal vulnerability in AstrBot versions up to 3.5.9, allowing attackers to access sensitive files and data.
You are affected if you are running AstrBot version 3.5.9 or earlier. Upgrade to 3.5.13 or later to mitigate the risk.
Upgrade AstrBot to version 3.5.13 or later. If immediate upgrade is not possible, restrict file access permissions for the AstrBot user.
While active exploitation is not confirmed, the vulnerability's ease of reproduction suggests a potential for exploitation.
Refer to the AstrBot GitHub repository and associated release notes for the official advisory and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.