Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-57697

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

Published

2025-11-07T18:15:36.200

Last Modified

2025-12-05T20:42:56.480

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-125

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	astrbot	astrbot	3.5.22	Yes

References

https://github.com/DYX217/vulnerability-explore/blob/main/1/README.md Exploit, Third Party Advisory ([email protected])