Home

Description

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

PUBLISHED Reserved 2025-09-22 | Published 2025-10-02 | Updated 2025-10-02 | Assigner GitHub_M




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

Problem types

CWE-23: Relative Path Traversal

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

>= 4.1.0, < 4.3.5
affected

References

github.com/...angBot/security/advisories/GHSA-7j3j-qj83-9qv4

github.com/langbot-app/LangBot/pull/1691

github.com/langbot-app/LangBot/releases/tag/v4.3.5

cve.org (CVE-2025-59835)

nvd.nist.gov (CVE-2025-59835)

Download JSON