AstrBot Arbitrary File Write via Path-Authorization Mismatch in astrbot_file_write_tool

Vulnerability Overview Title: Non-admin Arbitrary File Write via Path-Authorization Mismatch in / Description: A local runtime authorization vulnerability allows non-admin users to write arbitrary files to the global shared skills directory via filesystem tools. The write/edit path guard reuses the read-only root directory, meaning paths within the data/skills directory are not verifiable for restricted users. This can lead to persistent malicious skill injection and potential remote code execution when the injected skills are loaded or invoked. Details: The vulnerable logic is located in . includes the global skills path for restricted users (for read access). accepts absolute paths. is reused by both read and write/edit workflows and only checks membership in . Since both and rely on , a restricted user can provide an absolute path such as and bypass authorization. Affected Scope Ecosystem: GitHub (Self-hosted applications) Package Name: AstrBot Affected Versions: Remediation Patch Version: POC Code Reproduction Steps 1. Download the exploit script from . 2. Run the exploit script: 3. The script logs in to , triggers , and forces the invocation of a tool that writes to . 4. Verify that the file exists and contains attacker-controlled content. 5. Download the control script from . 6. Run the control script: 7. Confirm that the control case is blocked because the write target is outside the allowed root directory. 8. Runtime log artifacts: Evidence Logs Observed Exploit Run Output: Observed Control Run Output: Local Verification After Exploit: exists. File content contains . Impact This is an authorization bypass / arbitrary file write vulnerability in an authenticated non-admin context. An attacker can modify globally shared skill content, enabling persistent malicious skill injection and potentially leading to subsequent code execution paths when skills are loaded or executed. Impacts include integrity compromise of shared automation logic and potential confidentiality/availability impacts depending on the injected behavior. Weakness CWE: CWE-863: Incorrect Authorization CWE: CWE-284: Improper Access Control Occurrence Permanent Links: - https://github.com/AstrBotDevs/AstrBot/blob/67c7445d253846c232477a1ebcb2823a522a029c/astrbot/core/tools/computer_tools/fs.py#L99 - https://github.com/AstrBotDevs/AstrBot/blob/67c7445d253846c232477a1ebcb2823a522a029c/astrbot/core/tools/computer_tools/fs.py#L122 - https://github.com/AstrBotDevs/AstrBot/blob/67c7445d253846c232477a1ebcb2823a522a029c/astrbot/core/tools/computer_tools/fs.py#L158 - https://github.com/AstrBotDevs/AstrBot/blob/67c7445d253846c232477a1ebcb2823a522a029c/astrbot/core/tools/computer_tools/fs.py#L320 - https://github.com/AstrBotDevs/AstrBot/blob/67c7445d253846c232477a1ebcb2823a522a029c/astrbot/core/tools/computer_tools/fs.py#L406

Goal Reached Thanks to every supporter — we hit 100%!

AstrBot Arbitrary File Write via Path-Authorization Mismatch in astrbot_file_write_tool

More from this source