CVE-2025-57697

Source
https://cve.org/CVERecord?id=CVE-2025-57697
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57697.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-57697
Aliases
Published
2025-11-07T00:00:00Z
Modified
2026-07-08T07:16:27.502794848Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
Summary
[none]
Details

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the encodeimagebs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57697.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/astrbotdevs/astrbot

Affected ranges

Type
GIT
Repo
https://github.com/astrbotdevs/astrbot
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:astrbot:astrbot:3.5.22:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.5.22"
        },
        {
            "last_affected": "3.5.22"
        }
    ]
}

Affected versions

3.*
3.5.22
v3.*
v3.5.22

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57697.json"