LangBot has a cross-directory file upload vulnerability, which could lead...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

Description

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

Basic Information

ID CVE-2025-59835

Source GitHub_M

Published Oct 2, 2025 at 18:59

Affected Product

Vendor langbot-app

Product LangBot

Version >= 4.1.0, < 4.3.5

Affected Versions langbot-app LangBot >= 4.1.0, < 4.3.5

CWE Classification

CWE-23 CWE-434

References

{
    "lastseen": "",
    "description": "LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.",
    "published": "2025-10-02T18:59:42.808Z",
    "modified": "2025-10-02T18:59:42.808Z",
    "type": "cve",
    "title": "LangBot has a cross-directory file upload vulnerability, which could lead to system takeover",
    "source": "GitHub_M",
    "references": "https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4\nhttps://github.com/langbot-app/LangBot/pull/1691\nhttps://github.com/langbot-app/LangBot/releases/tag/v4.3.5",
    "id": "CVE-2025-59835",
    "bulletinFamily": "",
    "cwe": [
        "CWE-23",
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "langbot-app LangBot >= 4.1.0, < 4.3.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LangBot",
    "version": ">= 4.1.0, < 4.3.5",
    "vendor": "langbot-app",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

LangBot has a cross-directory file upload vulnerability, which could lead to system takeover_CVE-2025-59835