GHSA-xrj9-mw57-j34v

Source

https://github.com/advisories/GHSA-xrj9-mw57-j34v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-xrj9-mw57-j34v/GHSA-xrj9-mw57-j34v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xrj9-mw57-j34v

Aliases

CVE-2025-57698

Published

2025-11-07T18:30:30Z

Modified

2025-11-07T21:27:35.868347Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

AstrBot contains a directory traversal vulnerability

Details

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validity of the filename. The variable filepath is then passed as a parameter to the function file.save, so that the file in the request body can be saved to any location in the file system through directory traversal.

Database specific

{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2025-11-07T20:49:17Z",
    "nvd_published_at": "2025-11-07T17:15:47Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / astrbot

Package

Name: astrbot; View open source insights on deps.dev
Purl: pkg:pypi/astrbot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.5.22

Affected versions

3.*

3.4.39

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.5.12

3.5.13

3.5.14

3.5.15

3.5.17

3.5.18

3.5.19

3.5.20

3.5.21

3.5.22