Description
The file upload feature in Knowledge Base > File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since lobechat.com relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a 1 GB file while reporting it as 10 MB, or falsely declaring a 10 MB file as a 1 GB file.
Recommendation
Update the @lobehub/chat package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.143.3
- Patched version(s): 1.143.3
References
Related Issues
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- @lobehub/chat vulnerable to unauthorized access to plugins - CVE-2024-24566
- Immutable is vulnerable to Prototype Pollution - CVE-2026-29063
- Tags:
- npm
- @lobehub/chat
Anything's wrong? Let us know Last updated on February 01, 2026