CVE-2025-57698: AstrBot contains a directory traversal vulnerability

November 7, 2025

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface ‘/plugin/install-upload’ parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function file.save, so that the file in the request body can be saved to any location in the file system through directory traversal.

References

github.com/AstrBotDevs/AstrBot
github.com/DYX217/vulnerability-explore/blob/main/2/README.md
github.com/advisories/GHSA-xrj9-mw57-j34v
nvd.nist.gov/vuln/detail/CVE-2025-57698

Code Behaviors & Features

Detect and mitigate CVE-2025-57698 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →