CVE-2025-48957: AstrBot Has Path Traversal Vulnerability in /api/chat/get_file
(updated )
This vulnerability may lead to:
- Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.
References
- github.com/AstrBotDevs/AstrBot
- github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7eb91e492
- github.com/AstrBotDevs/AstrBot/issues/1675
- github.com/AstrBotDevs/AstrBot/pull/1676
- github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2p
- github.com/advisories/GHSA-cq37-g2qp-3c2p
- nvd.nist.gov/vuln/detail/CVE-2025-48957
- www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vulnerability?prevUrl=wizard
- www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboard-vulnerability?prevUrl=wizard
Code Behaviors & Features
Detect and mitigate CVE-2025-48957 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →