Server-Side Request Forgery Vulnerability in LobeChat by LobeHub
CVE-2025-62505

3LOW

Key Information:

Vendor: Lobehub
Status: Lobe-chat
Vendor: CVE Published:; 17 October 2025

What is CVE-2025-62505?

LobeChat, an open source chat application, contains a vulnerability in its web-crawler package that allows server-side request forgery through the tools.search.crawlPages tRPC endpoint. This flaw permits clients to submit arbitrary URLs, forcing the server to perform unauthorized internal network requests without proper validation. As a result, attackers with valid user credentials can access sensitive internal API information or cloud metadata, highlighting the need for immediate remedial action. Users are strongly urged to update to version 1.136.2, which addresses and resolves this security issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lobe-chat < 1.136.2

References

https://github.com/lobehub/lobe-chat/security/advisories/...

x_refsource_CONFIRM

https://github.com/lobehub/lobe-chat/commit/8d59583dca16f...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 17, 2025
Vulnerability Reserved
Oct 15, 2025

JSON

Lobehub