CVE-2025-57697 — MEDIUM (6.5)

Vulnerability Description

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Astrbot	Astrbot	3.5.22

Related Weaknesses (CWE)

CWE-125

References

https://github.com/DYX217/vulnerability-explore/blob/main/1/README.mdExploitThird Party Advisory

FAQ

What is CVE-2025-57697?

CVE-2025-57697 is a vulnerability with a CVSS score of 6.5 (MEDIUM). AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in t...

How severe is CVE-2025-57697?

CVE-2025-57697 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-57697?

Check the references section above for vendor advisories and patch information. Affected products include: Astrbot Astrbot.