SamuNatsu HaloBot CVE-2025-14695
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument action can lead to dynamically-managed code resources. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
AnalysisAI
Remote code execution via dynamic code resource manipulation in SamuNatsu HaloBot's Inter-plugin API allows authenticated remote attackers to execute arbitrary code by manipulating the action argument in the html_renderer plugin. The vulnerability affects unsupported legacy versions of the product (commit hash 026b01d4a896d93eaaf9d5163a287dc9f267515b and earlier), with publicly available exploit code disclosed but no vendor-released patch, as the maintainer has abandoned the project and did not respond to early disclosure.
Technical ContextAI
The vulnerability exists in the Inter-plugin API mechanism exposed through plugins/html_renderer/index.js, which dynamically processes code resources based on user-supplied input. The affected component accepts an action argument that controls which code resources are loaded or executed, creating a classic dynamic code inclusion vulnerability (CWE-913). The Inter-plugin API architecture allows plugins to communicate and invoke functionality across the plugin ecosystem, amplifying the impact of unsafe argument handling. Because SamuNatsu HaloBot uses commit hashes rather than semantic versioning, affected versions cannot be precisely enumerated beyond the known vulnerable commit 026b01d4a896d93eaaf9d5163a287dc9f267515b.
Affected ProductsAI
SamuNatsu HaloBot up to and including commit 026b01d4a896d93eaaf9d5163a287dc9f267515b. The product does not use semantic versioning, so affected versions are identified only by commit hash and repository history. All versions prior to and including 026b01d4a896d93eaaf9d5163a287dc9f267515b are considered vulnerable. The product is no longer maintained, meaning no newer unaffected versions exist.
RemediationAI
No vendor-released patch is available, as SamuNatsu HaloBot is no longer maintained and the vendor did not respond to early disclosure. Users still running legacy instances of this product should immediately discontinue use and migrate to a maintained alternative for HTML rendering or plugin-based functionality. If discontinuation is not feasible, the following compensating controls should be evaluated: (1) Restrict network access to the Inter-plugin API and html_renderer component using network-level access controls, limiting exposure to trusted internal networks only - this requires architectural isolation and carries the trade-off of limiting legitimate inter-plugin communication. (2) Enforce strict authentication and authorization on all Inter-plugin API calls, ensuring only trusted internal plugins can invoke the html_renderer component - requires plugin authentication framework not present in unsupported legacy code. (3) Disable or remove the html_renderer plugin entirely if not critical to operations - eliminates the attack surface but removes the functionality. No patch-based mitigation exists; remediation requires either product replacement or deployment isolation.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today