Package Instance

LobeHub Vulnerable to Improper Authorization in Presigned Upload
The file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file.

Lobe Chat API Key Leak
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
---

- Since the server performs outbound requests to internal networks, localhost, and metadata endpoints, an attacker can abuse the server’s network position to access internal resources (internal APIs, management ports, cloud metadata, etc.).

- As a result, this can lead to exposure of internal system information, leakage of authentication tokens/secret keys (e.g., IMDSv1/v2), misuse of internal admin interfaces, and provide a foothold for further lateral movement.

- By leveraging user-supplied impls to force the unfiltered naive implementation, SSRF defenses—such as blocking private/metadata IPs, DNS re-validation/re-resolution, and redirect restrictions—can be bypassed.

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability.

Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.

Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)
A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).

lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

@lobehub/chat Server Side Request Forgery vulnerability
lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

lobe-chat has an Open Redirect
---

- It can force users to redirect to untrusted external domains, leading to subsequent attacks such as phishing, credential harvesting, and session fixation.
- It can disrupt the OAuth/OIDC flow user experience by redirecting users to malicious domains disguised as legitimate pages (even though this path doesn't directly include tokens, it can be exploited for social engineering attacks through redirect chains).
- The impact can be amplified when redirect chains are combined with other vulnerabilities such as CSP bypass or cache poisoning.

Improper Access Control
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.