Skip to main content

LobeChat CVE-2026-58578

| EUVDEUVD-2026-41420 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-07-02 VulnCheck GHSA-g4jq-25cx-3cw5
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable skill import with low complexity but requires an authenticated account (PR:L); impact is a full event-loop stall so A:H, with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jul 02, 2026 - 20:30 vuln.today
Severity Changed
Jul 02, 2026 - 20:22 NVD
MEDIUM HIGH
CVSS changed
Jul 02, 2026 - 20:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
CVE Published
Jul 02, 2026 - 19:38 cve.org
HIGH 7.1

DescriptionCVE.org

LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.

AnalysisAI

Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LobeChat instance
Delivery
Submit crafted GitHub skill URL with malicious basePath
Exploit
Pattern injected into dynamic regex in findSkillMd
Execution
Synchronous match triggers catastrophic backtracking
Persist
Node.js event loop blocked for tens of seconds
Impact
Service denied to all concurrent users

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated LobeChat account (CVSS PR:L) with access to the GitHub skill-import feature; the attacker supplies a malicious basePath in the GitHub repository URL path containing unescaped regex metacharacters (catastrophic-backtracking patterns) that reach the dynamically constructed regular expression in findSkillMd. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H) scores 7.1 and correctly isolates impact to availability only - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated LobeChat user navigates to the skill-import feature and submits a crafted GitHub repository URL whose path contains a catastrophic-backtracking regex pattern as the basePath. When findSkillMd compiles and runs that pattern synchronously against archive entries, the Node.js event loop freezes for tens of seconds, making the application unresponsive for every other user; the attacker can repeat the request to sustain the outage. …
Remediation Vendor-released patch: upgrade to LobeChat 2.2.10-canary.15 or later (https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15); the code fix is in commit 349bbe326eb8635d6d9c6a96d12702681ae3a84a and PR https://github.com/lobehub/lobehub/pull/16548, which properly escapes the user-supplied basePath before regex construction. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all LobeChat deployments and current versions; disable or restrict GitHub-based skill imports pending patch deployment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-58578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy