Home > Vulnerability Database > CVE-2025-27106

Mend.io Vulnerability Database

CVE-2025-27106

Date: February 21, 2025

binance-trading-bot is an automated Binance trading bot with trailing buy/sell strategy. Authenticated users of binance-trading-bot can achieve Remote Code Execution on the host system due to a command injection vulnerability in the "/restore" endpoint. The restore endpoint of binance-trading-bot is vulnerable to command injection via the "/restore" endpoint. The name of the uploaded file is passed to shell.exec without sanitization other than path normalization, resulting in Remote Code Execution. This may allow any authorized user to execute code in the context of the host machine. This issue has been addressed in version 0.0.100 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/chrisleekr/binance-trading-bot/commit/99d464cf8ef858d441189993054ec5f5f86e6213

Url: https://github.com/chrisleekr/binance-trading-bot/security/advisories/GHSA-wq6j-4388-4gg5

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27106

Url: https://github.com/chrisleekr/binance-trading-bot/blob/dd8e1a91b872a48aec47bbe1280c1c6ea96784d9/app/frontend/webserver/handlers/restore-post.js#L14

Url: https://www.mend.io/vulnerability-database/CVE-2025-27106

Severity Score

8.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27106

Date: February 21, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?