CVE-2025-59835

LangBot has a cross-directory file upload vulnerability, which could lead to system takeover

CVSS 8.6 HIGHEPSS 0.4%CWE-23 CWE-434

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.6EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

02 oct 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

Productos afectados

langbot-app · LangBot

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/langbot-app/LangBot/pull/1691 https://github.com/langbot-app/LangBot/releases/tag/v4.3.5 https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4