CVE-2025-57697

Vulnerability

Description

The arbitrary file read vulnerability exists in AstrBot Project v3.5.22, specifically within the _encode_image_bs64 function defined in entities.py. This function opens an image file specified by the user in the request body and returns its content as a base64-encoded string, but it does not validate the legitimacy of the provided image path [1][3]. This allows an attacker to supply a malicious path pointing to any file on the server.

Attack

Vector

The vulnerability can be exploited remotely without authentication. An attacker constructs a crafted request containing a file URL (e.g., using file:///etc/passwd or similar) as the image_url parameter. The _encode_image_bs64 function reads the file at that path and returns its contents as a base64 string. This string is then stored in the conversation history within a SQLite database, making the leaked data accessible [1]. The attack requires only the ability to send a request to the AstrBot service (e.g., via the webchat interface or other supported platforms).

Impact

Successful exploitation leads to disclosure of sensitive server files, such as configuration files, credentials, or other confidential data stored on the server. This can result in further compromise of the system or data breaches [3].

Mitigation

As of the latest version (v3.5.22), the vulnerability remains unpatched. Users should monitor the official AstrBot repository [2] for updates and apply patches as soon as they become available. In the interim, restricting access to the AstrBot instance and implementing input validation on image paths can reduce risk.