AstrBot Project, Directory Traversal, CVE-2025-57698

By /

Listen to this Post

In AstrBot Project v3.5.22, the ‘/plugin/install-upload’ endpoint is vulnerable to directory traversal. The install_plugin_upload function handles file uploads for plugins. It retrieves the filename directly from the user-controlled request body. This filename is assigned to the file_path variable without any validation. The file_path is then passed to the file.save function. Since no sanitization occurs, an attacker can craft a filename with directory traversal sequences like ‘../’. This allows the attacker to control the save location on the filesystem. For example, using ‘../../../../tmp/exploit.php’ as the filename. The server will traverse directories and save the uploaded file arbitrarily. The vulnerability stems from trusting user input for file operations. No checks prevent path manipulation. This can lead to saving files outside the intended plugin directory. Attackers can overwrite critical system files. They may upload web shells to executable directories. The issue is exploitable via a simple HTTP POST request. The handler fails to normalize or restrict the filename parameter. Consequently, arbitrary file write is achieved. This can result in remote code execution. The core flaw is improper input validation in file upload.
Platform: AstrBot Project
Version: v3.5.22
Vulnerability: Directory Traversal
Severity: Critical
Date: 11/07/2025

Prediction: Expected December 2025

What Undercode Say:

Showing bash commands and codes related to the blog
curl -X POST -F “[email protected];filename=../../../var/www/html/shell.php” http://target/plugin/install-upload

def install_plugin_upload(request):

filename = request.files[‘file’].filename

file_path = os.path.join(plugins_dir, filename)

request.files[‘file’].save(file_path)

how Exploit:

Craft POST request with traversal filename. Upload malicious file. Access saved file for RCE.

Protection from this CVE

Sanitize filenames. Validate paths. Use chroot. Update software.

Impact:

Remote code execution. System compromise. Data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top