{"url":"http://public2.vulnerablecode.io/api/packages/725108?format=json","purl":"pkg:npm/%40lobehub/chat@0.162.1","type":"npm","namespace":"@lobehub","name":"chat","version":"0.162.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.19.13","latest_non_vulnerable_version":"1.143.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57844?format=json","vulnerability_id":"VCID-h44b-fwjs-r3ay","summary":"Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker provides an external malicious URL which redirects to internal resources like a private network or loopback address. Version 1.19.13 contains an improved fix for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47066","reference_id":"","reference_type":"","scores":[{"value":"0.05777","scoring_system":"epss","scoring_elements":"0.90687","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47066"},{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47066","reference_id":"CVE-2024-47066","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47066"},{"reference_url":"https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf","reference_id":"e960a23b0c69a5762eb27d776d33dac443058faf","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/"}],"url":"https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf"},{"reference_url":"https://github.com/advisories/GHSA-3fc8-2r3f-8wrg","reference_id":"GHSA-3fc8-2r3f-8wrg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fc8-2r3f-8wrg"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg","reference_id":"GHSA-3fc8-2r3f-8wrg","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/"}],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc","reference_id":"GHSA-mxhq-xw3g-rphc","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/"}],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc"},{"reference_url":"https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts","reference_id":"route.ts","reference_type":"","scores":[{"value":"9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/"}],"url":"https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33534?format=json","purl":"pkg:npm/%40lobehub/chat@1.19.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13"}],"aliases":["CVE-2024-47066","GHSA-3fc8-2r3f-8wrg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h44b-fwjs-r3ay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52835?format=json","vulnerability_id":"VCID-k2ph-kd1a-rqed","summary":"Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, can be modified to scan an internal network in the target lobe-web environment. This issue has been addressed in release version 1.19.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32965","reference_id":"","reference_type":"","scores":[{"value":"0.03038","scoring_system":"epss","scoring_elements":"0.86963","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32965"},{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32965","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32965"},{"reference_url":"https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf","reference_id":"e960a23b0c69a5762eb27d776d33dac443058faf","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/"}],"url":"https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf"},{"reference_url":"https://github.com/advisories/GHSA-2xcc-vm3f-m8rw","reference_id":"GHSA-2xcc-vm3f-m8rw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2xcc-vm3f-m8rw"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw","reference_id":"GHSA-2xcc-vm3f-m8rw","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/"}],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33534?format=json","purl":"pkg:npm/%40lobehub/chat@1.19.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13"}],"aliases":["CVE-2024-32965","GHSA-2xcc-vm3f-m8rw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k2ph-kd1a-rqed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45463?format=json","vulnerability_id":"VCID-kw89-ta9h-tygf","summary":"Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37895","reference_id":"","reference_type":"","scores":[{"value":"0.00602","scoring_system":"epss","scoring_elements":"0.7","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37895"},{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37895","reference_id":"CVE-2024-37895","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37895"},{"reference_url":"https://github.com/advisories/GHSA-p36r-qxgx-jq2v","reference_id":"GHSA-p36r-qxgx-jq2v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p36r-qxgx-jq2v"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v","reference_id":"GHSA-p36r-qxgx-jq2v","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T14:05:08Z/"}],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32227?format=json","purl":"pkg:npm/%40lobehub/chat@0.162.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-h44b-fwjs-r3ay"},{"vulnerability":"VCID-k2ph-kd1a-rqed"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.162.25"}],"aliases":["CVE-2024-37895","GHSA-p36r-qxgx-jq2v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kw89-ta9h-tygf"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.162.1"}