CVE-2024-37895
published 2024-06-17CVE-2024-37895: Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain…
PriorityP431medium5.7CVSS 3.1
AVNACLPRLUIRSUCHINAN
EPSS
0.55%
41.6th percentile
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lobehub | chat | >= 0 < 0.162.25 | 0.162.25 |
| lobehub | lobe-chat | < 0.162.25 | 0.162.25 |
| lobehub | lobe_chat | < 0.162.25 | 0.162.25 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Lobe Chat API Key Leak
osv·2024-06-17
CVE-2024-37895 [MEDIUM] Lobe Chat API Key Leak
Lobe Chat API Key Leak
### Summary
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
### Details
The attack process is described above.
### PoC
Frontend:
1. Pass basic authentication (SSO/Access Code).
2. Set the Base URL to a private attack address.
3. Configure the request method to be a server-side request.
4. At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
1. The LobeChat version allows setting the Base URL.
2. There is no outbound traffic whitelist.
### Impact
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
GHSA
Lobe Chat API Key Leak
ghsa·2024-06-17
CVE-2024-37895 [MEDIUM] CWE-200 Lobe Chat API Key Leak
Lobe Chat API Key Leak
### Summary
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
### Details
The attack process is described above.
### PoC
Frontend:
1. Pass basic authentication (SSO/Access Code).
2. Set the Base URL to a private attack address.
3. Configure the request method to be a server-side request.
4. At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
1. The LobeChat version allows setting the Base URL.
2. There is no outbound traffic whitelist.
### Impact
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-17
Published