Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
- Severity:
- Low
Description
Vulnerability Overview
- When the client sends an arbitrary URL array and impl: [“naive”] to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to internal networks (127.0.0.
Recommendation
Update the @lobehub/chat package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.136.1
- Patched version(s): 1.136.2
References
Related Issues
- lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability - CVE-2024-32964
- @lobehub/chat Server Side Request Forgery vulnerability - CVE-2024-32965
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on October 17, 2025