← back
CVE-2025-59835

LangBot has a cross-directory file upload vulnerability, which could lead to system takeover

CVSS 8.6 HIGHEPSS 0.4%CWE-23CWE-434
LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
Affected products
langbot-app · LangBot

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/langbot-app/LangBot/pull/1691https://github.com/langbot-app/LangBot/releases/tag/v4.3.5https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4