Lobe Chat
CVE-2024-47066
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.
AnalysisAI
Lobe Chat is an open-source artificial intelligence chat framework. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue. Affected products include: Lobehub Lobe Chat. Version information: version 1.19.13.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system.
Lobe Chat is an open-source, AI chat framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitab
Lobe Chat is an open-source LLMs/AI chat framework. Rated medium severity (CVSS 5.7), this vulnerability is remotely exp
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system.
Lobe Chat is an open-source artificial intelligence chat framework. Rated medium severity (CVSS 4.3), this vulnerability
Lobe Chat is an open-source artificial intelligence chat framework. Rated medium severity (CVSS 6.8), this vulnerability
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today