CVE-2024-21624
MEDIUMnonebot2 2.0.1-2.2.0 - Information Exposure via MessageTemplate User Input
Title source: llmDescription
nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg
Issue Tracking, Patch x_refsource_misc
https://github.com/nonebot/nonebot2/pull/2509
Scores
CVSS v3
5.7
EPSS
0.0020
EPSS Percentile
41.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (3)
nonebot/nonebot
2.0.0 (11 CPE variants)
nonebot/nonebot
2.0.1 - 2.2.0
pypi/nonebot2
2.0.0a16 - 2.2.0PyPI
Published
Feb 09, 2024
Tracked Since
Feb 18, 2026