@lobehub/chat Server Side Request Forgery vulnerability

Severity:: High

Description

lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

Recommendation

Update the @lobehub/chat package to the latest compatible version. Followings are version details:

Affected version(s): < 1.19.13
Patched version(s): 1.19.13

References

GHSA-2xcc-vm3f-m8rw
CVE-2024-32965
CWE-918
CAPEC-310
OWASP 2021-A10
OWASP 2021-A6

Related Issues

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability - CVE-2024-32964
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
Strapi Server-Side Request Forgery (SSRF) - CVE-2024-37818
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155

Tags:: npm; @lobehub/chat

Anything's wrong? Let us know Last updated on November 26, 2024