CVE-2024-32964 CRITICAL

CVE-2024-32964: lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Vendor Lobehub
Product lobe-chat
Weakness CWE-918 · SSRF
Published May 10, 2024
Last update August 2, 2024

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

What the vulnerability does

01Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

Key dates

02Disclosure timeline

May 10, 2024 CVE published
August 2, 2024 Record updated