Lobe Chat Server-Side Request Forgery Vulnerability
CVE-2024-32964

9CRITICAL

Key Information:

Vendor

Lobehub

Status
Lobe-chat
Vendor
CVE Published:
14 May 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 53%

What is CVE-2024-32964?

The Lobe Chat framework, designed for chatbot development with capabilities like speech synthesis and a multimodal plugin system, has a vulnerability in its /api/proxy endpoint prior to version 0.150.6. This flaw allows attackers to execute unauthorized Server-Side Request Forgery, enabling them to craft malicious requests. Such exploits can compromise intranet services and potentially expose sensitive information without the need for authentication, posing a significant risk to users and systems relying on this framework.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lobe-chat <= 0.150.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

aaa-agentxploit-example
Created by StephenQSstarThomas

References

https://github.com/lobehub/lobe-chat/security/advisories/...
x_refsource_CONFIRM
https://github.com/lobehub/lobe-chat/commit/465665a735556...
x_refsource_MISC

EPSS Score

53% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.