THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-32964

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Reserved:2024-04-22
Published:2024-05-10
Updated:2024-06-06

Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.



CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

<= 0.150.5
affected

References

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37

cve.org CVE-2024-32964

nvd.nist.gov CVE-2024-32964

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32964