CVE-2024-32964
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
14/05/2024
Last modified:
30/09/2025
Description
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
Impact
Base Score 3.x
9.00
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:* | 0.150.6 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc