GHSA-4m32-cjv7-f425
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4m32-cjv7-f425
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-4m32-cjv7-f425/GHSA-4m32-cjv7-f425.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4m32-cjv7-f425
- Aliases
-
- CVE-2025-55449
- Published
- 2025-11-14T21:52:23Z
- Modified
- 2025-11-17T18:01:08.173114Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- AstrBot is vulnerable to RCE with hard-coded JWT signing keys
- Details
-
Summary
AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.
Details
AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported here, enabling arbitrary command execution on the target host.
Impact
All publicly accessible AstrBot instances are vulnerable.
For more information, please see: CVE-2025-55449-AstrBot-RCE
Patch
This vulnerability was first reported on 2025-06-21 and was patched on the same day (2025-06-21).
The vulnerability was publicly disclosed on 2025-11-14. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-11-14T21:52:23Z", "cwe_ids": [ "CWE-345", "CWE-798" ], "severity": "CRITICAL", "nvd_published_at": null }- References
-
- https://github.com/AstrBotDevs/AstrBot/security/advisories/GHSA-4m32-cjv7-f425
- https://github.com/AstrBotDevs/AstrBot/commit/d03e9fb90a0921a1bd10cf480bdacc9aaa246472
- https://github.com/AstrBotDevs/AstrBot
- https://github.com/AstrBotDevs/AstrBot/releases/tag/v3.5.18
- https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE
Affected packages
PyPI / astrbot
Package
- Name
- astrbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/astrbot