CVE-2025-57698

Vulnerability

CVE-2025-57698 is a directory traversal flaw in AstrBot Project version 3.5.22. The handler function install_plugin_upload of the interface /plugin/install-upload parses the filename from the request body provided by the user and directly uses it to construct the file path without validation. The variable file_path is then passed to the file.save function, enabling an attacker to write files to arbitrary locations on the file system [1][2][3].

To exploit this vulnerability, an attacker must be able to send HTTP requests to the /plugin/install-upload endpoint. No authentication is mentioned as a prerequisite, meaning any unauthenticated user with network access to the AstrBot instance could potentially exploit it. The attack vector involves crafting a malicious filename containing path traversal sequences (e.g., ../) in the request body, which the server then uses to save the uploaded file content to write to an attacker-controlled path [3].

The impact of successful exploitation is arbitrary file write. An attacker could overwrite critical system files, inject malicious code (such as a web shell), or modify application configuration, potentially leading to remote code execution or complete compromise of the AstrBot server [3].

As of the publication date (2025-11-07), the vendor has not released a patch. Users are advised to restrict network access to the vulnerable endpoint, implement input validation for filenames, or upgrade to a patched version once available [1][2].