CVE-2025-55449: 
Python vulnerability analysis and mitigation

AstrBot versions 3.5.17 and earlier contain a critical vulnerability (CVE-2025-55449) involving a hard-coded JWT signing key. The vulnerability was discovered on November 14, 2025, affecting the Python package 'astrbot' distributed via pip. This security flaw has been assigned a CVSS score of 9.8 (Critical) and is tracked as GHSA-4m32-cjv7-f425 (GitHub Advisory).

The vulnerability stems from a hard-coded JWT signing key ('WEBUISK') defined in astrbot/core/_init_.py. This static, publicly known key was used for both signing and verifying authentication tokens. The vulnerability affects two key functions: Auth.generatejwt in astrbot/dashboard/routes/auth.py and DashboardServer.auth_middleware in astrbot/dashboard/server.py. The issue has been classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-798 (Use of Hard-coded Credentials) (GitHub Advisory, Miggo).

The vulnerability allows attackers to bypass authentication mechanisms and execute arbitrary commands by installing malicious Python plugins on any publicly accessible AstrBot instance. This results in potential remote code execution (RCE) on the target host, with high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in version 3.5.18 of AstrBot. The fix removes the hard-coded key and implements a system where a unique, random JWT secret is generated and stored in the application's configuration upon first run. Users are strongly advised to upgrade to version 3.5.18 or later (GitHub Release).