CVE-2024-37895Sensitive Information Exposure in Lobe-chat

CWE-200Sensitive Information ExposureCWE-918Server-Side Request Forgery3 documents3 sources
Severity
5.7MEDIUMNVD
EPSS
0.6%
top 30.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Lobehub Lobe-chatLobehub Lobe ChatLobehub Chat
Timeline
PublishedJun 17

Description

Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages3 packages

npmlobehub/chat< 0.162.25
CVEListV5lobehub/lobe-chat< 0.162.25
NVDlobehub/lobe_chat< 0.162.25

🔴Vulnerability Details

2
OSV
Lobe Chat API Key Leak2024-06-17
GHSA
Lobe Chat API Key Leak2024-06-17