Soumettre #821923: AstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639)information

TitreAstrBotDevs AstrBot 4.24.2 Insecure Direct Object Reference (CWE-639)
Description# Technical Details An Insecure Direct Object Reference (IDOR) exists in the event processing logic in `astrbot/core/astr_main_agent.py` of AstrBot. The application fails to validate delimiter characters when extracting session IDs from user-controlled WebChat events. By injecting a `!` character into the `session_id` parameter (e.g., `attacker!victim_session_id`), the server's `.split("!")[-1]` logic will extract the victim's session ID as the target. This allows any authenticated attacker to associate their actions with another user's session and arbitrarily overwrite the victim's session metadata, such as the display title. # Vulnerable Code File: astrbot/core/astr_main_agent.py Method: handle_event Why: The code uses an unsafe string splitting operation `event.session_id.split("!")[-1]` on an attacker-controlled variable that has not been sanitized against delimiter injection. # Reproduction 1. Log into the AstrBot Dashboard via `/api/auth/login` to obtain an authentication token. 2. Identify or enumerate a target victim's session ID (e.g., UUID format). 3. Connect to the WebSocket `/api/unified_chat/ws`. 4. Send a message with `session_id` set to `attacker!{victim_session_id}` containing the command `//rename EXPLOIT_RENAMED`. 5. The backend will rename the victim's session display name in the database. # Impact - Arbitrary modification of metadata for any user's session on the platform. - Impairment of data integrity and potential disruption of automated workflows that rely on accurate session metadata.
La source⚠️ https://gist.github.com/YLChen-007/91a7f955143099e1747424707dfad0f9
Utilisateur
 Eric-a (UID 96353)
Soumission07/05/2026 13:32 (il y a 28 jours)
Modérer31/05/2026 09:14 (24 days later)
StatutAccepté
Entrée VulDB367491 [AstrBotDevs AstrBot 4.24.2 astr_main_agent.py astr_main_agent session_id élévation de privilèges]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!