| शीर्षक | AstrBotDevs AstrBot 4.23.6 Path Traversal (CWE-22) |
|---|
| विवरण | # Technical Details
A Path Traversal exists in the `/api/skills/delete` API endpoint in AstrBot.
The application fails to sanitize the `name` parameter provided during the skill deletion process. An authenticated attacker can supply a path traversal payload in the JSON body (e.g., `{"name": "../target_directory"}`) to delete arbitrary directories on the underlying host filesystem, bypassing intended directory restrictions.
# Vulnerable Code
File: [Needs Manual Input]
Method: delete_skill (API: /api/skills/delete)
Why: The API endpoint uses the attacker-controlled `name` parameter to construct a directory path for deletion without proper normalization or boundary checks to ensure the path remains within the skills folder.
# Reproduction
1. Authenticate to the AstrBot Dashboard via `/api/auth/login` to obtain a JWT token.
2. Send a `POST` request to the `/api/skills/delete` endpoint.
3. Supply a JSON payload targeting a directory outside the intended scope using path traversal: `{"name": "../poc_target_exploit"}`.
4. Observe that the arbitrary directory on the server filesystem is successfully deleted.
# Impact
- Arbitrary directory deletion, resulting in potential data loss.
- High risk of Denial of Service (DoS) by removing critical application or system directories. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/8155cf1b9519f0a3524eea73dfeead2f |
|---|
| उपयोगकर्ता | Eric-a (UID 96353) |
|---|
| सबमिशन | 07/05/2026 01:32 PM (28 दिन पहले) |
|---|
| संयम | 31/05/2026 09:14 AM (24 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 367492 [AstrBotDevs AstrBot 4.23.6 API Endpoint /api/skills/delete नाम निर्देशिका ट्रैवर्सल] |
|---|
| अंक | 20 |
|---|