CVE-2025-47948
HIGHcocotais-bot 1.5.0-test2-hotfix-1.6.2 - Unauthenticated Privilege Escalation via Command Echo Injection
Title source: llmDescription
Cocotais Bot is a QQ official robot framework based on qq-bot-sdk. Starting in version 1.5.0-test2-hotfix and prior to version 1.6.2, command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo <qqbot-at-everyone />` command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems. Version 1.6.2 contains a patch for the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cocotais/cocotais-bot/security/advisories/GHSA-mj2c-8hxf-ffvq
Scores
CVSS v3
7.2
EPSS
0.0032
EPSS Percentile
55.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
cocotais/cocotais-bot
>= 1.5.0-test2-hotfix, < 1.6.2
npm/cocotais-bot
1.5.0-test2-hotfix - 1.6.2npm
Published
May 17, 2025
Tracked Since
Feb 18, 2026