Skip to content

Commit 76c2d1d

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 9a1122b commit 76c2d1d

File tree

1 file changed

+39
-7
lines changed

1 file changed

+39
-7
lines changed

advisories/unreviewed/2025/11/GHSA-xrj9-mw57-j34v/GHSA-xrj9-mw57-j34v.json renamed to advisories/github-reviewed/2025/11/GHSA-xrj9-mw57-j34v/GHSA-xrj9-mw57-j34v.json

Lines changed: 39 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,61 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xrj9-mw57-j34v",
4-
"modified": "2025-11-07T18:30:30Z",
4+
"modified": "2025-11-07T20:49:17Z",
55
"published": "2025-11-07T18:30:30Z",
66
"aliases": [
77
"CVE-2025-57698"
88
],
9+
"summary": "AstrBot contains a directory traversal vulnerability",
910
"details": "AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal.",
10-
"severity": [],
11-
"affected": [],
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "AstrBot"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "3.5.22"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1238
"references": [
1339
{
1440
"type": "ADVISORY",
1541
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57698"
1642
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/AstrBotDevs/AstrBot"
46+
},
1747
{
1848
"type": "WEB",
1949
"url": "https://github.com/DYX217/vulnerability-explore/blob/main/2/README.md"
2050
}
2151
],
2252
"database_specific": {
23-
"cwe_ids": [],
24-
"severity": null,
25-
"github_reviewed": false,
26-
"github_reviewed_at": null,
53+
"cwe_ids": [
54+
"CWE-22"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2025-11-07T20:49:17Z",
2759
"nvd_published_at": "2025-11-07T17:15:47Z"
2860
}
2961
}

0 commit comments

Comments
 (0)