Regular Expression Denial of Service in LobeChat by LobeHub
CVE-2026-58578
Key Information:
Badges
What is CVE-2026-58578?
The vulnerability in LobeChat enables authenticated attackers to exploit regular expression denial of service (ReDoS) by injecting catastrophic-backtracking patterns into a GitHub repository URL path during skill import. This flaw allows attackers to obstruct the Node.js event loop, leading to significant service disruption for concurrent users for extended periods. Attackers can utilize unescaped regex metacharacters in the basePath parameter, impacting the performance and availability of the application and imposing a risk to users relying on concurrent access.
Affected Version(s)
lobehub 0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
