CVE-2025-59835

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

CVSS

No CVSS.

References

Link	Resource
https://github.com/langbot-app/LangBot/pull/1691
https://github.com/langbot-app/LangBot/releases/tag/v4.3.5
https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4

Configurations

No configuration.

History

02 Oct 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-02 19:15

Updated : 2025-10-02 19:15

NVD link : CVE-2025-59835

Mitre link : CVE-2025-59835

CVE.ORG link : CVE-2025-59835

JSON object : View

Products Affected

No product.

CWE

CWE-23

Relative Path Traversal

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2025-59835", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-10-02T19:15:31.983", "references": [{"url": "https://github.com/langbot-app/LangBot/pull/1691", "source": "security-advisories@github.com"}, {"url": "https://github.com/langbot-app/LangBot/releases/tag/v4.3.5", "source": "security-advisories@github.com"}, {"url": "https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4", "source": "security-advisories@github.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5."}], "lastModified": "2025-10-02T19:15:31.983", "sourceIdentifier": "security-advisories@github.com"}