Vulnerabilities > CVE-2024-47066 - Server-Side Request Forgery (SSRF) vulnerability in Lobehub Lobe Chat
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
- https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf
- https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts