@lobehub/chat Server Side Request Forgery vulnerability

Description

lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

Recommendation

Update the @lobehub/chat package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.19.13
• Patched version(s): 1.19.13

References

• GHSA-2xcc-vm3f-m8rw
• CVE-2024-32965
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Valid ECDSA signatures erroneously rejected in Elliptic - CVE-2024-48948
• Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505
• cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
• Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417

Tags:

npm

@lobehub/chat