CVE-2024-37895 MEDIUM

CVE-2024-37895: API Key Leak in lobe-chat

Vendor Lobehub

Product lobe-chat

Weakness CWE-200 · Info exposure

Published June 17, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

June 17, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-37895

Related vulnerabilities

04Related CVE

CVE-2023-30740 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform CVE-2026-45267 Nextcloud: Missing permission check for from submissions CVE-2020-1779 Dynamic templates reveal sensitive data when OTRS tags are used CVE-2022-20954 Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities CVE-2026-28492 File Browser: Path Traversal in Public Share Links Exposes Files Outside Shared Directory