CVE-2024-32964
published 2024-05-14CVE-2024-32964: Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an…
PriorityP270critical9CVSS 3.1
AVNACLPRHUINSCCHILAH
EXPLOIT
EPSS
52.96%
98.8th percentile
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lobehub | chat | >= 0 < 0.150.6 | 0.150.6 |
| lobehub | chat | >= 0 < 1.19.13 | 1.19.13 |
| lobehub | lobe-chat | < 1.19.13 | 1.19.13 |
| lobehub | lobe_chat | < 0.150.6 | 0.150.6 |
| lobehub | lobehub | >= 0 < 2.1.57 | 2.1.57 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated requests to the /api/proxy endpoint in Lobe Chat, which may indicate SSRF exploitation attempts targeting internal network services. ↗
- →Look for Interactsh callback domains in outbound traffic originating from the Lobe Chat server process, which may indicate active SSRF probing or exploitation.
- ·The SSRF vulnerability requires no authentication, meaning any unauthenticated network access to the /api/proxy endpoint is sufficient for exploitation. Ensure the endpoint is not exposed to untrusted networks. ↗
- ·Versions prior to 0.150.6 are affected. Upgrade to 0.150.6 or later to remediate. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
ghsa9.0CRITICAL
osv9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
ghsa·2026-06-16·CVSS 9.0
CVE-2026-54157 [CRITICAL] CWE-918 LobeHub: Unauthenticated SSRF in `/webapi/proxy`
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
## Unauthenticated SSRF in /webapi/proxy allows anyone to proxy requests and inject cookies on lobehub.com
## Summary
The `/webapi/proxy` endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in CVE-2024-32964, where `/api/proxy` was fixed by adding auth middleware. The `/webapi/proxy` route was never secured — it is the only webapi route missing the `checkAuth()` wrapper. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the `lobehub.com` domain through reflected `Set-Cookie` headers.
## Vulnerability Details
**Type:** Server-Side Requ
GHSA
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
ghsa·2024-09-23·CVSS 9.0
CVE-2024-47066 [CRITICAL] CWE-918 lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
### Summary
SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.
### PoC
1. Run lobe-chat in docker container. In my setup lobe-chat runs on 0.0.0.0:3210;
2. Create file dummy-server.js with the following content:
```
var http = require('http');
console.log("running server");
http.createServer(function (req, res) {
console.log(req.url);
res.writeHead(200, {'Content-Type': 'text/html'});
res.end();
}).listen(3001, 'localhost');
```
And run
```
node dummy-server.js
```
as an example
OSV
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
osv·2024-09-23·CVSS 9.0
CVE-2024-47066 [CRITICAL] lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
### Summary
SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.
### PoC
1. Run lobe-chat in docker container. In my setup lobe-chat runs on 0.0.0.0:3210;
2. Create file dummy-server.js with the following content:
```
var http = require('http');
console.log("running server");
http.createServer(function (req, res) {
console.log(req.url);
res.writeHead(200, {'Content-Type': 'text/html'});
res.end();
}).listen(3001, 'localhost');
```
And run
```
node dummy-server.js
```
as an example
GHSA
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
ghsa·2024-05-10
CVE-2024-32964 [CRITICAL] CWE-918 lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
### Summary
The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.
### Details
* visit https://chat-preview.lobehub.com/settings/agent
* you can attack all internal services by /api/proxy and get the echo in http response :)
### PoC
```http
POST /api/proxy HTTP/2
Host: xxxxxxxxxxxxxxxxx
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346846.0.0.0
Content-Length: 23
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chr
OSV
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
osv·2024-05-10
CVE-2024-32964 [CRITICAL] lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
### Summary
The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.
### Details
* visit https://chat-preview.lobehub.com/settings/agent
* you can attack all internal services by /api/proxy and get the echo in http response :)
### PoC
```http
POST /api/proxy HTTP/2
Host: xxxxxxxxxxxxxxxxx
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346846.0.0.0
Content-Length: 23
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chr
No detection rules found.
Nuclei
Lobe Chat <= v0.150.5 - Server-Side Request Forgery
nuclei·CVSS 9.0
CVE-2024-32964 [CRITICAL] Lobe Chat <= v0.150.5 - Server-Side Request Forgery
Lobe Chat Interactsh Server "
# digest: 4b0a00483046022100a97345a4c54a5f58ac0cae4355d6f23393abec4f378163fee099a43ba93b54d60221008b03e2ca8bda6c6988be80670d8295083686081ec8fe79177014ce678174342f:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphchttps://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
2024-05-14
Published