QwikSec

Security Database

CVE

CWE

Training

CVE-2024-47066

Published: Sep 23, 2024

Modified: Sep 23, 2024

PUBLISHED

CVSS v3.1

9.0

CRITICAL

Description

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.

Vendor	Product	Versions
lobehub	lobe-chat	affected `< 1.19.13`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

High

References

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg

x_refsource_CONFIRM

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

x_refsource_MISC

https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf

x_refsource_MISC

https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.