Open Redirect Vulnerability in Lobe Chat by Lobe Hub
CVE-2025-59426

4.3MEDIUM

Key Information:

Vendor

Lobehub

Status
Lobe-chat
Vendor
CVE Published:
25 September 2025

What is CVE-2025-59426?

Lobe Chat, an open-source AI chat framework, contains an open redirect vulnerability prior to version 1.130.1. This issue arises from improper handling of OIDC redirect logic, where the protocol and host of the redirect URL are constructed using potentially unvalidated X-Forwarded-* headers. If a reverse proxy forwards these headers directly without validation, it allows attackers to inject an arbitrary host, directing users to malicious domains. The vulnerability was addressed and patched in version 1.130.1, safeguarding deployments from potential exploitation.

Affected Version(s)

lobe-chat < 1.130.1

References

https://github.com/lobehub/lobe-chat/security/advisories/...
x_refsource_CONFIRM
https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadb...
x_refsource_MISC
https://github.com/lobehub/lobe-chat/blob/aa841a3879c3014...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59426 : Open Redirect Vulnerability in Lobe Chat by Lobe Hub