We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-32964

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability



Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

Reserved 2024-04-22 | Published 2024-05-10 | Updated 2024-08-02 | Assigner GitHub_M


CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

<= 0.150.5
affected

References

github.com/...e-chat/security/advisories/GHSA-mxhq-xw3g-rphc

github.com/...ommit/465665a735556669ee30446c7ea9049a20cc7c37

cve.org (CVE-2024-32964)

nvd.nist.gov (CVE-2024-32964)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32964

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.