CVE-2025-57697

Name of the Vulnerable Software and Affected Versions AstrBot Project version 3.5.22

Description The software contains an arbitrary file read issue in the encode image bs64 function. This function, defined in entities.py, opens an image specified by a user-controlled request body and returns its content as a base64-encoded string without validating the image path. This allows attackers to construct malicious URLs to read any specified file, potentially leading to sensitive data disclosure. The vulnerable function is encode image bs64.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the encode image bs64 function until a patch is available.