CVE-2021-32795: ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a De...

Description

ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.72%

74.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Archisteamfarm Project	Archisteamfarm	< 4.3.1.0

References

https://github.com/JustArchiNET/ArchiSteamFarm/commit/4cd581ec041912cf199c5512fe6d1dcaec0594c0Patch, Third Party Advisory
https://github.com/JustArchiNET/ArchiSteamFarm/security/advisories/GHSA-5v34-4prm-9474Exploit, Third Party Advisory
https://steamcommunity.com/groups/archiasf/discussions/1/2935742047969570844/Exploit, Third Party Advisory
https://github.com/JustArchiNET/ArchiSteamFarm/commit/4cd581ec041912cf199c5512fe6d1dcaec0594c0Patch, Third Party Advisory
https://github.com/JustArchiNET/ArchiSteamFarm/security/advisories/GHSA-5v34-4prm-9474Exploit, Third Party Advisory
https://steamcommunity.com/groups/archiasf/discussions/1/2935742047969570844/Exploit, Third Party Advisory

Timeline

Published: Jul 26, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-32795?

ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it.

How severe is CVE-2021-32795?

CVE-2021-32795 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 1.72% probability of exploitation in the next 30 days.

How do I fix CVE-2021-32795?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.