CVE-2025-59835

HIGH

LangBot <4.3.5 - Privilege Escalation

Title source: llm

Description

LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.

References (3)

[Vendor Advisory] https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4

[Issue Tracking] https://github.com/langbot-app/LangBot/pull/1691

[Release Notes] https://github.com/langbot-app/LangBot/releases/tag/v4.3.5

Scores

CVSS v4 8.6

EPSS 0.0006

EPSS Percentile 19.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-23 CWE-434

Status published

Products (1)

langbot-app/LangBot >= 4.1.0, < 4.3.5

Published Oct 02, 2025

Tracked Since Feb 18, 2026