Description
The file upload feature in Knowledge Base > File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since lobechat.com relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a 1 GB file while reporting it as 10 MB, or falsely declaring a 10 MB file as a 1 GB file.
Recommendation
Update the @lobehub/chat package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.143.3
- Patched version(s): 1.143.3
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
- ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - CVE-2025-68113
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on February 01, 2026