Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages

Severity:: Medium

Description

We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine.

Recommendation

Update the @lobehub/chat package to the latest compatible version. Followings are version details:

Affected version(s): <= 1.129.3
Patched version(s): 1.129.4

References

GHSA-m79r-r765-5f9j
CVE-2025-59417
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

LobeHub Vulnerable to Improper Authorization in Presigned Upload - CVE-2026-23835
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3 - CVE-2020-28500

Tags:: npm; @lobehub/chat

Anything's wrong? Let us know Last updated on September 26, 2025