{"id":"CVE-2025-57697","details":"AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.","aliases":["GHSA-vm2f-46xc-5jc3"],"modified":"2026-04-10T05:31:08.595433Z","published":"2025-11-07T18:15:36.200Z","references":[{"type":"EVIDENCE","url":"https://github.com/DYX217/vulnerability-explore/blob/main/1/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/astrbotdevs/astrbot","events":[{"introduced":"0"},{"last_affected":"2915fdf665a1c0f7a7ecc4caa9bbd6988dfd63ab"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.5.22"}]}}],"versions":["publish","publish2.1","publish2.4","publish2.5","publish2.8","publish2.9","v3.0.1","v3.0.2","v3.0.3","v3.0.6","v3.0.7","v3.1.10","v3.1.11","v3.1.12","v3.1.13","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.3.0","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.13","v3.3.14","v3.3.15","v3.3.16","v3.3.17","v3.3.18","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9","v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.35","v3.4.36","v3.4.37","v3.4.38","v3.4.39","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v3.5.0","v3.5.1","v3.5.10","v3.5.11","v3.5.12","v3.5.13","v3.5.14","v3.5.15","v3.5.16","v3.5.17","v3.5.18","v3.5.19","v3.5.2","v3.5.20","v3.5.21","v3.5.22","v3.5.3","v3.5.3.1","v3.5.3.2","v3.5.4","v3.5.5","v3.5.6","v3.5.7","v3.5.8","v3.5.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57697.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}]}