Unauthorized SSRF Vulnerability in Lobe Chat Prior to v1.19.13
CVE-2024-32965

8.1HIGH

Key Information:

Vendor: Lobehub
Status: Lobe-chat
Vendor: CVE Published:; 26 November 2024

What is CVE-2024-32965?

The Lobe Chat framework, an open-source AI chat solution, has a vulnerability that allows unauthorized server-side request forgery (SSRF). Versions prior to 1.19.13 are susceptible to this issue, permitting attackers to construct malicious requests without authentication. By exploiting this vulnerability, attackers can access internal network services and extract sensitive information. Key components such as the jwt token header, specifically the X-Lobe-Chat-Auth, can be manipulated to scan and interact with internal systems, including exposed internal APIs. The developers have addressed this vulnerability in version 1.19.13, and all users are urged to upgrade to mitigate the risk.

Affected Version(s)

lobe-chat < 1.19.13

References

https://github.com/lobehub/lobe-chat/security/advisories/...

x_refsource_CONFIRM

https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2024
Vulnerability Reserved
Apr 22, 2024

Lobehub

What is CVE-2024-32965?

Affected Version(s)

References

CVSS V3.1

Timeline