CVE-2025-47948: 
JavaScript vulnerability analysis and mitigation

Cocotais Bot, a QQ official robot framework based on qq-bot-sdk, contains a security vulnerability discovered on May 17, 2025. The vulnerability affects versions from 1.5.0-test2-hotfix up to and including 1.6.1, with version 1.6.2 containing the patch (GitHub Advisory).

The vulnerability stems from improper neutralization of special elements in the command echoing feature. The framework's /echo command fails to sanitize or filter platform-specific control elements, allowing users to inject special platform tags. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability allows unauthorized users to bypass permission controls and trigger privileged behavior. Specifically, attackers can use the /echo command to send messages that mention all members in a chat, effectively gaining access to the @全体成员 (mention all) functionality without proper authorization. This can lead to spam, disruption of chat communications, and abuse of notification systems (GitHub Advisory).

The vulnerability has been patched in version 1.6.2 of Cocotais Bot. Users are strongly advised to upgrade to this version to receive the security fix. The patch involves removing the built-in echo command functionality, as evidenced by the commit that removes this feature (GitHub Commit).