CVE-2025-62505 — Server-Side Request Forgery in Lobe-chat

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

3.0LOWNVD

EPSS

0.0%

top 92.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lobehub Lobe-chat Lobehub Chat

Timeline

PublishedOct 17

Description

LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery (SSRF) in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array together with impls containing the value naive. The service passes the user URLs to Crawler.crawl and the naive implementation performs a server-side fetch of each supplied URL without validating or restricting internal network addresses (such as localhost, 127.…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages2 packages

▶npmlobehub/chat< 1.136.2

▶CVEListV5lobehub/lobe-chat< 1.136.2

🔴Vulnerability Details

OSV

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module↗2025-10-17

▶

GHSA

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module↗2025-10-17

▶