CVE-2025-59835
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
Summary
LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| langbot-app | LangBot | >= 4.1.0, < 4.3.5 | affected |
Weaknesses
- CWE-23: CWE-23: Relative Path Traversal
- CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4
- https://github.com/langbot-app/LangBot/pull/1691
- https://github.com/langbot-app/LangBot/releases/tag/v4.3.5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.