High severityOSV Advisory· Published Oct 2, 2025· Updated Apr 15, 2026

CVE-2025-59835

Description

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

Affected products

App/LangbotOSV
Range: v4.1.0, v4.1.1, v4.1.2, …

Patches

d1274366a0b4

chore: release v4.3.5

https://github.com/langbot-app/langbotJunyan QinOct 2, 2025via osv

commit

2 files changed · +2 −2

pkg/utils/constants.py+1 −1 modified

@@ -1,4 +1,4 @@
-semantic_version = 'v4.3.4'
+semantic_version = 'v4.3.5'
 
 required_database_version = 8
 """Tag the version of the database schema, used to check if the database needs to be migrated"""

pyproject.toml+1 −1 modified

@@ -1,6 +1,6 @@
 [project]
 name = "langbot"
-version = "4.3.4"
+version = "4.3.5"
 description = "Easy-to-use global IM bot platform designed for LLM era"
 readme = "README.md"
 requires-python = ">=3.10.1,<4.0"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000