Command Injection Vulnerability in Binance Trading Bot
CVE-2025-27106

7.7HIGH

Key Information:

Vendor
Chrisleekr
Status
Binance-trading-bot
Vendor
CVE Published:
21 February 2025

Summary

The binance-trading-bot is susceptible to a command injection vulnerability that can lead to remote code execution on the host system. This issue arises in the /restore endpoint where the name of an uploaded file is improperly handled, allowing authorized users to execute arbitrary code without sufficient sanitization. The vulnerability has been addressed in version 0.0.100, and users are strongly encouraged to upgrade immediately to mitigate the risk. No known workarounds are available.

Affected Version(s)

binance-trading-bot < 0.0.100

References

https://github.com/chrisleekr/binance-trading-bot/securit...
x_refsource_CONFIRM
https://github.com/chrisleekr/binance-trading-bot/commit/...
x_refsource_MISC
https://github.com/chrisleekr/binance-trading-bot/blob/dd...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.