CVE-2024-32965Server-Side Request Forgery in Lobe-chat

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
8.6HIGHNVD
EPSS
0.2%
top 56.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Lobehub Lobe-chatLobehub Lobe ChatLobehub Chat
Timeline
PublishedNov 26

Description

Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, can be modified to scan an internal network in the target lobe-web environment. This issue has been addressed in release version 1.19.13 and all users are

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages3 packages

npmlobehub/chat< 1.19.13
CVEListV5lobehub/lobe-chat< 1.19.13
NVDlobehub/lobe_chat< 1.19.13

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
@lobehub/chat Server Side Request Forgery vulnerability2024-11-26
OSV
@lobehub/chat Server Side Request Forgery vulnerability2024-11-26