CVE-2025-59835 HIGH

CVE-2025-59835: LangBot has a cross-directory file upload vulnerability, which could lead to system takeover

Vendor Langbot-App
Product LangBot
Weakness CWE-23
Published October 2, 2025
Last update October 2, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

What the vulnerability does

01Description

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

Key dates

02Disclosure timeline

October 2, 2025 CVE published
October 2, 2025 Record updated