CVE-2025-59417 — Cross-site Scripting in Lobe-chat

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 67.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lobehub Lobe-chat Lobehub Lobe Chat Lobehub Chat

Timeline

PublishedSep 18

Description

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the server is like , it will be rendered with the lobeArtifact node, instead of the plain text. However, when the type of the lobeArtifact is image/svg+xml , it will be rendered as the SVGRender component,…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶npmlobehub/chat< 1.129.4

▶CVEListV5lobehub/lobe-chat< 1.129.4

▶NVDlobehub/lobe_chat< 1.129.4

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages↗2025-09-18

▶

OSV

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages↗2025-09-18

▶