AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface /plugin/install-upload parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function file.save, so that the file in the request body can be saved to any location in the file system through directory traversal.