CVE-2025-47948: Cocotais Bot has builtin .echo command injection

May 19, 2025

A command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the /echo <qqbot-at-everyone /> command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems.

References

github.com/advisories/GHSA-mj2c-8hxf-ffvq
github.com/cocotais/cocotais-bot
github.com/cocotais/cocotais-bot/commit/d1cf01a9a41b3131241d1833444b890c8d6e70b8
github.com/cocotais/cocotais-bot/security/advisories/GHSA-mj2c-8hxf-ffvq
nvd.nist.gov/vuln/detail/CVE-2025-47948

Code Behaviors & Features

Detect and mitigate CVE-2025-47948 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →