Server-Side Request Forgery Vulnerability in LobeChat by LobeHub
CVE-2025-62505

3LOW

Key Information:

Vendor: Lobehub
Status: Lobe-chat
Vendor: CVE Published:; 17 October 2025

What is CVE-2025-62505?

LobeChat, an open source chat application, contains a vulnerability in its web-crawler package that allows server-side request forgery through the tools.search.crawlPages tRPC endpoint. This flaw permits clients to submit arbitrary URLs, forcing the server to perform unauthorized internal network requests without proper validation. As a result, attackers with valid user credentials can access sensitive internal API information or cloud metadata, highlighting the need for immediate remedial action. Users are strongly urged to update to version 1.136.2, which addresses and resolves this security issue.

Affected Version(s)

lobe-chat < 1.136.2

References

https://github.com/lobehub/lobe-chat/security/advisories/...

x_refsource_CONFIRM

https://github.com/lobehub/lobe-chat/commit/8d59583dca16f...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2025
Vulnerability Reserved
Oct 15, 2025

CVE-2025-62505 Data

JSON

Lobehub

What is CVE-2025-62505?

Affected Version(s)

References

CVSS V3.1

Timeline