Lobehub
Monthly
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.
Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.
Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.
Broken object level authorization in LobeChat through version 2.2.9 permits authenticated users to read and manipulate chat-group agent data belonging to other users by supplying arbitrary group identifiers to unguarded API operations. The getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup endpoints accept caller-controlled group IDs without validating ownership, enabling cross-user data access and modification. Publicly available exploit code exists per GitHub issue #16537, though the CVE is absent from the CISA KEV catalog and carries a CVSS 4.0 score of 2.3, indicating limited blast radius; real-world risk is elevated primarily in shared multi-tenant LobeChat deployments.
Cross-user data disclosure in LobeChat through version 2.2.9 allows any authenticated user to read other users' documents by abusing the retrieval-augmented-generation (RAG) semantic search, whose chunk model omits a user-identifier predicate. By supplying arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths, an attacker recovers text content, file names, and metadata belonging to other tenants. Publicly available exploit code exists and a vendor patch has been released; the flaw is not listed in CISA KEV and no active exploitation is reported.
Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.
Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.
Denial of service in LobeChat before 2.2.10-canary.15 lets an authenticated user hang the entire Node.js server by importing a GitHub-hosted skill whose repository URL path contains a catastrophic-backtracking regex pattern. Because the malicious basePath is compiled into a dynamic regular expression in findSkillMd and matched synchronously against archive entries, a single request blocks the shared event loop for tens of seconds, denying service to all concurrent users. Publicly available exploit code exists and a vendor patch is available, though there is no public exploit identified as being used in active exploitation.