Assigner | GitHub_M |
Reserved | 2024-04-22 |
Published | 2024-05-10 |
Updated | 2024-06-06 |
Description
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H |
Problem types
CWE-918: Server-Side Request Forgery (SSRF)
Product status
References
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37