Python is a high-level, general-purpose programming language. Its key feature is the high readability of the code. It supports multiple programming paradigms, including Object-Oriented Programming (OOP) and Functional Programming.

Python

AstrBot is an open-source multi-platform chatbot framework that enables users to deploy AI-powered conversational agents across various messaging platforms including QQ, Telegram, and WeChat. It provides a unified interface for connecting to different LLM backends like OpenAI, Claude, and local models. The platform includes a web-based dashboard for configuration, plugin management, and conversation monitoring.

AstrBot

### Summary
AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin.
### Details
AstrBot uses a [hard-coded JWT signing key](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.16/astrbot/core/__init__.py), which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported [here](https://github.com/AstrBotDevs/AstrBot/blob/master/astrbot/dashboard/routes/plugin.py), enabling arbitrary command execution on the target host.
### Impact
All publicly accessible AstrBot instances are vulnerable.
For more information, please see: [CVE-2025-55449-AstrBot-RCE](https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE)
### Patch
This vulnerability was first reported on **2025-06-21** and was patched on the **same day** (2025-06-21).
The vulnerability was publicly disclosed on **2025-11-14**. Prior to public disclosure, monitoring from AstrBot Cloud indicated that fewer than 2% of deployed instances were still running the affected version. Therefore, this disclosure is not expected to have a significant impact on existing active instances.

CVE ID	Severidad	Puntuación	Tecnologías	Nombre del componente	Exploit de CISA KEV	Tiene arreglo	Fecha de publicación
GHSA-66hx-chf7-3332	HIGH	8.8	Python	pyload-ng	No	No	Apr 14, 2026
CVE-2026-40192	HIGH	8.7	Python	pillow	No	Sí	Apr 15, 2026
CVE-2026-40347	MEDIUM	5.3	Python	python-multipart	No	Sí	Apr 15, 2026
GHSA-jj6c-8h6c-hppx	MEDIUM	4.8	Python	pypdf	No	Sí	Apr 15, 2026
GHSA-fj52-5g4h-gmq8	LOW	2.9	Python	pyload-ng	No	No	Apr 14, 2026

CVE-2025-55449:
Python Análisis y mitigación de vulnerabilidades

Summary

Details

Impact

Patch

9.8

Relacionado Python Vulnerabilidades:

Compare su postura de seguridad en la nube

Recursos adicionales de Wiz

¿Listo para ver a Wiz en acción?

CVE-2025-55449: Python Análisis y mitigación de vulnerabilidades