CVE-2025-59835

Source
https://cve.org/CVERecord?id=CVE-2025-59835
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59835.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59835
Aliases
  • GHSA-7j3j-qj83-9qv4
Published
2025-10-02T18:59:42.808Z
Modified
2026-04-10T05:33:34.700480Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator
Summary
LangBot has a cross-directory file upload vulnerability, which could lead to system takeover
Details

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

Database specific
{
    "cwe_ids": [
        "CWE-23",
        "CWE-434"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59835.json"
}
References

Affected packages

Git / github.com/langbot-app/langbot

Affected ranges

Type
GIT
Repo
https://github.com/langbot-app/langbot
Events

Affected versions

v4.*
v4.1.0
v4.1.1
v4.1.2
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.0.beta2
v4.3.1
v4.3.2
v4.3.3
v4.3.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59835.json"