CVE-2025-48957
HIGHDescription
AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue.
Is your site exposed to CVE-2025-48957?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| astrbot | astrbot |
References
Advisories & Patches
Exploits
Frequently Asked Questions
What is CVE-2025-48957? +
How severe is CVE-2025-48957? +
What products are affected by CVE-2025-48957? +
How do I check if I'm vulnerable to CVE-2025-48957? +
Related Vulnerabilities
Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application …
The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read …
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, …
Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not …
If exploited an attacker could traverse the file system to access files or directories that would otherwise be inaccessible
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of …