Home / Vulnerability Intelligence / CVE-2025-55449

CVE-2025-55449 - Vulnerability Analysis

HighCVSS: 7.3

Last Updated: May 8, 2026

AstrBotDevs AstrBot - Authentication Bypass

Published: May 8, 2026Updated: May 8, 2026PoC AvailableRemote Exploitable

Overview

AstrBotDevs AstrBot 3.5.15 contains hardcoded private key vulnerability caused by embedding 'Advanced_System_for_Text_Response_and_Bot_Operations_Tool' as JWT signing key, letting attackers forge tokens, exploit requires knowledge of the key.

Severity & Score

Severity: High

CVSS Score: 7.3

Impact

Attackers can forge JWT tokens, potentially gaining unauthorized access or privileges.

Mitigation

Update to a version that removes hardcoded private keys or rotate JWT signing keys immediately.

References

https://github.com/AstrBotDevs/AstrBot
https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-55449
Severity: High
CVSS Score: 7.3
Type: hardcoded_credentials
Status: unconfirmed

CWE

CWE-321

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L