CVE-2024-47066

Lobe Chat has insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)

CVSS 9 CRITICALEPSS 10.8%CWE-918

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Affected products

lobehub · lobe-chat

public PoCs found — 1

githubgithub.com/l8BL/CVE-2024-47066★ 4

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc