Astrbot
Monthly
Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. A public proof-of-concept exploit is available on GitHub; the vendor did not respond to responsible disclosure, and no patch has been released at time of analysis.
Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate the session_id argument within the astr_main_agent function to access or control sessions belonging to other users. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the server fails to verify that the requesting user owns the supplied session_id. A publicly available exploit exists via GitHub gist, no vendor patch has been released, and the vendor did not respond to disclosure - elevating practical risk above what the CVSS 6.3 Medium score alone implies.
Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions via the `_normalize_rw_path` function in `astrbot/core/tools/computer_tools/fs.py`, resulting in unauthorized read, write, or access to files outside the intended scope. The vulnerability stems from improper path normalization logic that fails to enforce access controls correctly, enabling authenticated users to escape sandboxed file boundaries. A public proof-of-concept exploit exists on GitHub, and the vendor was unresponsive to coordinated disclosure, leaving no official patch available at time of analysis.
Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_description` function in `astrbot/core/skills/skill_manager.py`, bypassing sanitization and achieving partial impact on confidentiality, integrity, and availability. A publicly available exploit (POC) exists on GitHub, and the vendor did not respond to responsible disclosure, meaning no official patch has been released. No public exploit identified as confirmed actively exploited (CISA KEV), though the public POC and low-privilege entry point lower the barrier for exploitation.
Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended directories via manipulated filenames. Affected versions through 4.23.5 fail to sanitize user-supplied filenames in the post_file function, enabling directory traversal sequences (../, ..\ ) to bypass access controls. Publicly available exploit code exists (GitHub Gist by YLChen-007). Vendor-released patch in version 4.23.6 implements filename sanitization using PurePosixPath normalization and path validation to prevent traversal. CVE assigned CVSS 6.3 (Medium) with low-privilege remote exploitation confirmed. No CISA KEV listing indicates exploitation remains targeted rather than widespread.
Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.
Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perform arbitrary HTTP requests from the server, potentially exposing internal services or enabling data exfiltration. AstrBot versions up to 4.22.1 are affected. Publicly available exploit code exists, though vendor response remains pending despite early notification.
Command injection in AstrBot's MCP endpoint handler (add_mcp_server function) allows authenticated remote attackers to execute arbitrary system commands via the command parameter. Versions up to 4.22.1 are affected. The vulnerability is publicly disclosed with exploit code available on GitHub, and the vendor has not released a patch despite early notification.
AstrBot versions up to 4.22.1 allow authenticated remote attackers to bypass sandbox restrictions via malicious file uploads to the install-upload endpoint (install_plugin_upload function), enabling arbitrary code execution with limited information disclosure and integrity impact. The vulnerability exists in the plugin installation mechanism and has publicly available exploit code; the vendor has been notified but has not yet responded with a patch.
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AstrBot Project v3.5.22 contains a directory traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AstrBot versions 3.4.4 through 3.5.12 contain a path traversal vulnerability (CWE-23) in the dashboard feature that allows unauthenticated remote attackers to disclose sensitive information including LLM provider API keys, account passwords, and other confidential data. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact and no authentication requirements. Patch is available in version 3.5.13 and later via Pull Request #1676.
Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. A public proof-of-concept exploit is available on GitHub; the vendor did not respond to responsible disclosure, and no patch has been released at time of analysis.
Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate the session_id argument within the astr_main_agent function to access or control sessions belonging to other users. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the server fails to verify that the requesting user owns the supplied session_id. A publicly available exploit exists via GitHub gist, no vendor patch has been released, and the vendor did not respond to disclosure - elevating practical risk above what the CVSS 6.3 Medium score alone implies.
Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions via the `_normalize_rw_path` function in `astrbot/core/tools/computer_tools/fs.py`, resulting in unauthorized read, write, or access to files outside the intended scope. The vulnerability stems from improper path normalization logic that fails to enforce access controls correctly, enabling authenticated users to escape sandboxed file boundaries. A public proof-of-concept exploit exists on GitHub, and the vendor was unresponsive to coordinated disclosure, leaving no official patch available at time of analysis.
Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_description` function in `astrbot/core/skills/skill_manager.py`, bypassing sanitization and achieving partial impact on confidentiality, integrity, and availability. A publicly available exploit (POC) exists on GitHub, and the vendor did not respond to responsible disclosure, meaning no official patch has been released. No public exploit identified as confirmed actively exploited (CISA KEV), though the public POC and low-privilege entry point lower the barrier for exploitation.
Path traversal in AstrBot dashboard file upload allows authenticated remote attackers to write files outside intended directories via manipulated filenames. Affected versions through 4.23.5 fail to sanitize user-supplied filenames in the post_file function, enabling directory traversal sequences (../, ..\ ) to bypass access controls. Publicly available exploit code exists (GitHub Gist by YLChen-007). Vendor-released patch in version 4.23.6 implements filename sanitization using PurePosixPath normalization and path validation to prevent traversal. CVE assigned CVSS 6.3 (Medium) with low-privilege remote exploitation confirmed. No CISA KEV listing indicates exploitation remains targeted rather than widespread.
Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.
Server-side request forgery (SSRF) in AstrBot API endpoint post_data.get allows authenticated remote attackers to perform arbitrary HTTP requests from the server, potentially exposing internal services or enabling data exfiltration. AstrBot versions up to 4.22.1 are affected. Publicly available exploit code exists, though vendor response remains pending despite early notification.
Command injection in AstrBot's MCP endpoint handler (add_mcp_server function) allows authenticated remote attackers to execute arbitrary system commands via the command parameter. Versions up to 4.22.1 are affected. The vulnerability is publicly disclosed with exploit code available on GitHub, and the vendor has not released a patch despite early notification.
AstrBot versions up to 4.22.1 allow authenticated remote attackers to bypass sandbox restrictions via malicious file uploads to the install-upload endpoint (install_plugin_upload function), enabling arbitrary code execution with limited information disclosure and integrity impact. The vulnerability exists in the plugin installation mechanism and has publicly available exploit code; the vendor has been notified but has not yet responded with a patch.
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AstrBot Project v3.5.22 contains a directory traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AstrBot versions 3.4.4 through 3.5.12 contain a path traversal vulnerability (CWE-23) in the dashboard feature that allows unauthenticated remote attackers to disclose sensitive information including LLM provider API keys, account passwords, and other confidential data. The vulnerability has a CVSS score of 7.5 (High) with high confidentiality impact and no authentication requirements. Patch is available in version 3.5.13 and later via Pull Request #1676.