CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-47948: Cocotais Bot has builtin .echo command injection

7.2 CVSS

Description

Cocotais Bot is a QQ official robot framework based on qq-bot-sdk. Starting in version 1.5.0-test2-hotfix and prior to version 1.6.2, command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo ` command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems. Version 1.6.2 contains a patch for the issue.

Classification

CVE ID: CVE-2025-47948

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Problem Types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected Products

Vendor: cocotais

Product: cocotais-bot

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 17.95% (scored less or equal to compared to others)

EPSS Date: 2025-06-15 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47948
https://github.com/cocotais/cocotais-bot/security/advisories/GHSA-mj2c-8hxf-ffvq
https://github.com/cocotais/cocotais-bot/commit/d1cf01a9a41b3131241d1833444b890c8d6e70b8

Timeline

2025-05-17 19:40:17 UTC
CVE

Cocotais Bot has builtin .echo command injection
2025-05-19 17:15:46 UTC
Github Advisory Database (NPM)

[cocotais-bot] Cocotais Bot has builtin .echo command injection