AstrBot is vulnerable to RCE with hard-coded JWT signing keys — CVE-2025-55449
GitHub · GitHub · CVE-2025-55449
ID
CVE-2025-55449
CVE-2025-55449
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.8
9.8
EPSS
0.0001
0.0001
Summary
### Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. ### Details AstrBot uses a [hard-coded JWT signing key](https://github.com/AstrBotDevs/AstrBot/blob/v3.5.16/astrbot/core/__init__.py), which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python plugin that will be imported…
Product
pip: astrbot
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.