CVE-2025-48957

Name of the Vulnerable Software and Affected Versions AstrBot versions 3.4.4 through 3.5.12

Description AstrBot is a large language model chatbot and development framework. A path traversal vulnerability may lead to information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. The vulnerability has been addressed in Pull Request #1676 and is included in version 3.5.13.

Recommendations For AstrBot versions 3.4.4 through 3.5.12, as a temporary workaround, users can edit the cmd config.json file to disable the dashboard feature. However, it is strongly recommended to upgrade to version 3.5.13 or later to fully resolve this issue.