Vulnerability Description
AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13. As a workaround, users can edit the `cmd_config.json` file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later to fully resolve this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Astrbot | Astrbot | >= 3.4.4, < 3.5.13 |
Related Weaknesses (CWE)
References
- https://github.com/AstrBotDevs/AstrBot/commit/cceadf222c46813c7f41115b40d371e7ebPatch
- https://github.com/AstrBotDevs/AstrBot/issues/1675ExploitIssue Tracking
- https://github.com/AstrBotDevs/AstrBot/pull/1676ExploitIssue TrackingPatch
- https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2pExploitVendor Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-48957-detect-astrbot-dashboard-vExploitThird Party Advisory
- https://www.vicarius.io/vsociety/posts/cve-2025-48957-mitigate-astrbot-dashboardMitigationThird Party Advisory
- https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-cq37-g2qp-3c2pExploitVendor Advisory
FAQ
What is CVE-2025-48957?
CVE-2025-48957 is a vulnerability with a CVSS score of 7.5 (HIGH). AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions 3.4.4 through 3.5.12 may lead to information disclosure, such as API keys for LL...
How severe is CVE-2025-48957?
CVE-2025-48957 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-48957?
Check the references section above for vendor advisories and patch information. Affected products include: Astrbot Astrbot.