Path Traversal Vulnerability in AstrBot Chatbot Framework
CVE-2025-48957

7.5HIGH

Key Information:

Vendor

Astrbotdevs

Status
Astrbot
Vendor
CVE Published:
2 June 2025

What is CVE-2025-48957?

A path traversal vulnerability in the AstrBot framework could allow unauthorized access to sensitive information, including API keys for large language model providers and user account passwords. This issue affects versions 3.4.4 through 3.5.12 of AstrBot. To address this vulnerability, users are advised to upgrade to version 3.5.13 or later. As a temporary solution, users can modify the cmd_config.json file to disable the dashboard feature until an update can be applied.

Affected Version(s)

AstrBot >= 3.4.4, < 3.5.13

References

https://github.com/AstrBotDevs/AstrBot/security/advisorie...
x_refsource_CONFIRM
https://github.com/AstrBotDevs/AstrBot/issues/1675
x_refsource_MISC
https://github.com/AstrBotDevs/AstrBot/pull/1676
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-48957 : Path Traversal Vulnerability in AstrBot Chatbot Framework