CVE-2025-59835
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langbot | langbot | 4.3.5 |
| langbot | langbot | 4.1.0 |
| langbot | langbot | 4.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in LangBot versions 4.1.0 up to but not including 4.3.5 allows authorized attackers to exploit the /api/v1/files/documents interface to upload arbitrary files. Because the interface does not strictly restrict where files are stored on the server, attackers can upload dangerous files to specific system directories, potentially compromising the system. This issue is fixed in version 4.3.5.
How can this vulnerability impact me? :
The vulnerability can allow attackers to upload malicious files to critical system directories, which may lead to system compromise, unauthorized code execution, or disruption of services. This poses a significant security risk to the affected system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade LangBot to version 4.3.5 or later, as this version fixes the arbitrary file upload vulnerability in the /api/v1/files/documents interface.