Listen to this Post
How the CVE Works
CVE-2025-48957 is a path traversal vulnerability in AstrBot versions 3.4.4 to 3.5.12. The flaw allows attackers to bypass directory restrictions by manipulating file paths in HTTP requests, leading to unauthorized access to sensitive files such as cmd_config.json. This exposes API keys, passwords, and other confidential data. The vulnerability stems from insufficient input validation when processing user-supplied paths in the dashboard feature. Attackers can exploit this by crafting malicious requests containing `../` sequences to traverse directories. The issue was fixed in version 3.5.13 by implementing strict path sanitization.
DailyCVE Form
Platform: AstrBot
Version: 3.4.4 – 3.5.12
Vulnerability: Path Traversal
Severity: Critical
Date: 06/25/2025
Prediction: Patch expected by 07/10/2025
What Undercode Say
Check AstrBot version astrbot --version Temporary workaround (disable dashboard) sed -i 's/"enable_dashboard": true/"enable_dashboard": false/g' cmd_config.json Verify patch curl -s https://github.com/astrbot/astrbot/releases | grep "3.5.13"
How Exploit
GET /api/load?file=../../../etc/passwd HTTP/1.1 Host: vulnerable-astrbot-instance
Protection from this CVE
- Upgrade to v3.5.13
- Disable dashboard feature
- Restrict file access permissions
Impact
- Unauthorized data exposure
- API key compromise
- Account takeover
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
