CVE-2024-47066

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47066
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts Broken Link
https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf Patch
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg Exploit Third Party Advisory
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc Not Applicable
Configurations

Configuration 1 (hide)

cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:*
History

30 Sep 2024, 18:03

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.0 		v2 : unknown
v3 : 8.8
First Time Lobehub lobe Chat
Lobehub
CPE cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:*
References () https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts - () https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts - Broken Link
References () https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf - () https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf - Patch
References () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg - () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg - Exploit, Third Party Advisory
References () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc - () https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc - Not Applicable

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Lobe Chat es un framework de chat de inteligencia artificial de código abierto. Antes de la versión 1.19.13, la protección contra server-side request forgery implementado en `src/app/api/proxy/route.ts` no tiene en cuenta la redirección y se puede omitir cuando el atacante proporciona una URL maliciosa externa que redirige a recursos internos como una red privada o una dirección de loopback. La versión 1.19.13 contiene una solución mejorada para el problema.

23 Sep 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-23 16:15

Updated : 2024-09-30 18:03

NVD link : CVE-2024-47066

Mitre link : CVE-2024-47066

CVE.ORG link : CVE-2024-47066

JSON object : View

Products Affected

lobehub

  • lobe_chat
CWE
CWE-918

Server-Side Request Forgery (SSRF)