CVE-2025-59426
published 2025-09-25CVE-2025-59426: Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host…
PriorityP424medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.30%
21.7th percentile
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lobehub | chat | >= 0 < 1.130.1 | 1.130.1 |
| lobehub | lobe-chat | < 1.130.1 | 1.130.1 |
| lobehub | lobe_chat | < 1.130.1 | 1.130.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
lobe-chat has an Open Redirect
ghsa·2025-09-24
CVE-2025-59426 [MEDIUM] CWE-601 lobe-chat has an Open Redirect
lobe-chat has an Open Redirect
### **Description**
---
> Vulnerability Overview
>
The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain.
> Vulnerable Code Analysis
>
```bash
const internalRedirectUrlString = await oidcService.getInteractionResult(uid, result);
log('OIDC Provider internal redirect URL string: %s', internalRedirectUrlString);
let finalRedirectUrl;
try {
finalRedirectUrl = correctOID
OSV
lobe-chat has an Open Redirect
osv·2025-09-24
CVE-2025-59426 [MEDIUM] lobe-chat has an Open Redirect
lobe-chat has an Open Redirect
### **Description**
---
> Vulnerability Overview
>
The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain.
> Vulnerable Code Analysis
>
```bash
const internalRedirectUrlString = await oidcService.getInteractionResult(uid, result);
log('OIDC Provider internal redirect URL string: %s', internalRedirectUrlString);
let finalRedirectUrl;
try {
finalRedirectUrl = correctOID
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qxhttps://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
2025-09-25
Published