cbcvebase.
CVE-2025-59426
published 2025-09-25

CVE-2025-59426: Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host…

PriorityP424medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.30%
21.7th percentile
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
lobehubchat>= 0 < 1.130.11.130.1
lobehublobe-chat< 1.130.11.130.1
lobehublobe_chat< 1.130.11.130.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.