Hardcoded Private Key Vulnerability in AstrBot by AstrBotDevs
CVE-2025-55449

7.3HIGH

Key Information:

Vendor: AstrBotDevs
Status: AstrBot
Vendor: CVE Published:; 8 May 2026

🔔 Create AstrBotDevs Vulnerability Alert

What is CVE-2025-55449?

The AstrBot 3.5.15 version from AstrBotDevs is susceptible to a vulnerability involving a hardcoded private key utilized for signing JSON Web Tokens (JWT). This design flaw can potentially allow unauthorized parties to forge tokens, compromising the authenticity and integrity of the application’s communications. Developers and users must address this issue promptly to safeguard against possible exploitation.

References

https://github.com/AstrBotDevs/AstrBot

https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Aug 13, 2025

CVE-2025-55449 Data

JSON