AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install plugin upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file path without checking the validity of the filename. The variable file path is then passed as a parameter to the function file.save, so that the file in the request body can be saved to any location in the file system through directory traversal.