GHSA-vm2f-46xc-5jc3

Source

https://github.com/advisories/GHSA-vm2f-46xc-5jc3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-vm2f-46xc-5jc3/GHSA-vm2f-46xc-5jc3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vm2f-46xc-5jc3

Aliases

CVE-2025-57697

Published

2025-11-07T18:30:31Z

Modified

2025-11-07T21:12:36.571882Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64

Details

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function encodeimagebs64. Since the _encodeimage_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2025-11-07T20:50:54Z",
    "nvd_published_at": "2025-11-07T18:15:36Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / astrbot

Package

Name: astrbot; View open source insights on deps.dev
Purl: pkg:pypi/astrbot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.5.22

Affected versions

3.*

3.4.39

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.22