CVE-2025-57698
Nov. 7, 2025, 5:15 p.m.
None
No Score
Description
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Astrbot |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | astrbot | astrbot | 3.5.22 | / | / | / | / | / | / | / |
Tags
Timeline
Published: Nov. 7, 2025, 5:15 p.m.
Last Modified: Nov. 7, 2025, 5:15 p.m.
Last Modified: Nov. 7, 2025, 5:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
cve@mitre.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.