Lobe Chat
CVE-2024-37895
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Lobe Chat is an open-source LLMs/AI chat framework. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Lobehub Lobe Chat. Version information: version 0.162.25..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system.
Lobe Chat is an open-source artificial intelligence chat framework. Rated high severity (CVSS 8.8), this vulnerability i
Lobe Chat is an open-source, AI chat framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitab
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system.
Lobe Chat is an open-source artificial intelligence chat framework. Rated medium severity (CVSS 4.3), this vulnerability
Lobe Chat is an open-source artificial intelligence chat framework. Rated medium severity (CVSS 6.8), this vulnerability
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today