CVE-2025-55449 - Vulnerability Details

- Hardcoded Private Key Enables JWT Forgery in AstrBot

Description

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

Published: 2026-05-08

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

AstrBotDevs AstrBot 3.5.15 contains a hardcoded private key named Advanced_System_for_Text_Response_and_Bot_Operations_Tool that is used to sign JSON Web Tokens. This usage constitutes a CWE‑321 weakness – the use of a hard‑coded secret value. Attackers who can construct their own JWTs with this key can impersonate legitimate users or services, bypass authentication, and potentially execute commands or alter the bot’s behavior, leading to remote code execution.

Affected Systems

The affected product is AstrBotDevs AstrBot, specifically version 3.5.15. No other vendors or product versions are known to be impacted. The hardcoded private key exists within the Advanced_System_for_Text_Response_and_Bot_Operations_Tool component of this release.

Risk and Exploitability

The EPSS score (< 1%) indicates a low but non‑zero probability of exploitation. Accordingly, the risk is primarily associated with environments where AstrBot services are exposed to network traffic and lack additional authentication or token revocation mechanisms. Attackers would need to generate a valid JWT and send it to the API, elevating privileges and potentially triggering arbitrary code execution if the bot performs privileged actions based on token claims. The vulnerability is not listed in CISA KEV, and the CVSS score of 7.3 reflects a high severity risk for affected environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:astrbot:astrbot:3.5.15:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Astrbot

70%

Version	Status	Scheme	Platform
`3.5.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest AstrBot release where the private key is no longer hardcoded or is securely stored.
Regenerate and rotate all JWT secret keys, reissuance of tokens, and enforce strict signature verification.
Restrict network access to AstrBot services and implement role‑based access control to minimize the blast radius of forged tokens.

Generated by OpenCVE AI on May 8, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4m32-cjv7-f425	AstrBot is vulnerable to RCE with hard-coded JWT signing keys

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/AstrBotDevs/AstrBot
https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE

History

Tue, 12 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:astrbot:astrbot:3.5.15:::::::*

Mon, 11 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Astrbot Astrbot astrbot
Vendors & Products		Astrbot Astrbot astrbot

Fri, 08 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Title		Hardcoded Private Key Enables JWT Forgery in AstrBot

Fri, 08 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Title	Hardcoded Private Key in AstrBot Enables JWT Forgery and Potential Remote Code Execution
Weaknesses	CWE-285 CWE-798

Fri, 08 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-321
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title		Hardcoded Private Key in AstrBot Enables JWT Forgery and Potential Remote Code Execution
Weaknesses		CWE-285 CWE-798

Fri, 08 May 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
References		https://github.com/AstrBotDevs/AstrBot https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE

Subscriptions

Astrbot Astrbot

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-08T00:00:00.000Z

Updated: 2026-05-08T17:52:44.644Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55449

Vulnrichment

Updated: 2026-05-08T17:52:40.883Z

NVD

Status : Analyzed

Published: 2026-05-08T07:16:28.047

Modified: 2026-05-12T13:49:53.330

Link: CVE-2025-55449

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T16:11:35Z

Weaknesses

CWE-321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object