THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-32964

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

AssignerGitHub_M
Reserved2024-04-22
Published2024-05-10
Updated2024-06-06

Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.



CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

<= 0.150.5
affected

References

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37

cve.org CVE-2024-32964

nvd.nist.gov CVE-2024-32964

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32964
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
© Copyright 2024 THREATINT. Made in Cyprus with +