216.73.216.170

CVE-2025-57698

· Published 07/11/2025 17:15 · Modified 05/12/2025 20:51

Labels: CVE-2025-57698 2025-11-07CVE-2025-57698CWE-22[email protected]

Essential information

Published
07/11/2025 17:15
Modified
05/12/2025 20:51
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
astrbot / astrbot cpe:2.3:a:astrbot:astrbot:3.5.22:*:*:*:*:*:*:*

References