Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
- Severity:
- Low
Description
Vulnerability Overview
- When the client sends an arbitrary URL array and impl: [“naive”] to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to internal networks (127.0.0.
Recommendation
Update the @lobehub/chat package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.136.1
- Patched version(s): 1.136.2
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) 3 - CVE-2019-1010266
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- lobe-chat has an Open Redirect - CVE-2025-59426
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on October 17, 2025