7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48957

GHSA ID

GHSA-cq37-g2qp-3c2p

EPSS Score

0.26727%

CWE

CWE-23

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48957

CVE-2025-48957:
AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Impact

This vulnerability may lead to:

Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.

Reproduce

Follow these steps to set up a test environment for reproducing the vulnerability:

Install dependencies and clone the repository:

pip install uv
git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot
uv run main.py

Alternatively, deploy the program via pip:

mkdir astrbot && cd astrbot
uvx astrbot init
uvx astrbot run

In another terminal, run the following command to exploit the vulnerability:

curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json

This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).

Patches

The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.

Workarounds

Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.

References

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48957

GHSA ID

GHSA-cq37-g2qp-3c2p

EPSS Score

0.26727%

CWE

CWE-23

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
astrbot	pip	>= 3.4.4, <= 3.5.12	3.5.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal in the /api/chat/get_file endpoint, which is handled by the get_file method of the ChatView class in astrbot/dashboard/routes/chat.py. The provided commit cceadf222c46813c7f41115b40d371e7eb91e492 shows the exact changes made to this function to fix the vulnerability. Specifically, the original code concatenated a user-provided filename with a base directory without proper sanitization. The patch introduces the use of os.path.basename() to extract only the filename and os.path.realpath() to resolve the absolute path, followed by a check to ensure this path is within the allowed self.imgs_dir. This directly addresses the path traversal. The exploit curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json confirms that this endpoint and the filename parameter were the vector for the attack. The auth_middleware function in astrbot/dashboard/server.py was also modified to remove /api/chat/get_file from allowed_endpoints that bypass authentication, which is a secondary hardening measure but the primary flaw was in get_file's handling of the filename parameter.

Vulnerable functions

astrbot.dashboard.routes.chat.ChatView.get_file

astrbot/dashboard/routes/chat.py

The `get_file` method in the `ChatView` class was vulnerable to path traversal because it directly used user-supplied `filename` input to construct a file path using `os.path.join(self.imgs_dir, filename)`. An attacker could provide a `filename` with path traversal sequences (e.g., `../../../sensitive_file`) to read arbitrary files on the server, limited by the privileges of the running process and the base directory `self.imgs_dir`. The patch mitigates this by using `os.path.basename(filename)` to strip directory components and then validating that the resolved path is within the intended directory.

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility m*y l*** to: * In*orm*tion *is*losur*, su** *s *PI k*ys *or LLM provi**rs, ***ount p*sswor*s, *n* ot**r s*nsitiv* **t*. ### R*pro*u** *ollow t**s* st*ps to s*t up * t*st *nvironm*nt *or r*pro*u*in* t** vuln*r**ility:

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l in t** `/*pi/***t/**t_*il*` *n*point, w*i** is **n*l** *y t** `**t_*il*` m*t*o* o* t** `***tVi*w` *l*ss in `*str*ot/**s**o*r*/rout*s/***t.py`. T** provi*** *ommit `****************************************` s*ows

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-48957: AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Impact

Reproduce

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48957:
AstrBot Has Path Traversal Vulnerability in /api/chat/get_file

Vulnerability Intelligence
Miggo AI