Plattform
nodejs
Komponente
@lobehub/chat
Behoben in
0.150.6
0.150.6
CVE-2024-32964 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component, specifically affecting versions before 0.150.6. This flaw allows attackers to craft malicious requests, bypassing authentication and potentially accessing internal services. The vulnerability is located in the /api/proxy endpoint, enabling unauthorized data retrieval and manipulation. A fix is available in version 0.150.6.
The SSRF vulnerability in @lobehub/chat allows an attacker to bypass security controls and make requests to internal resources that are otherwise inaccessible. By manipulating the /api/proxy endpoint, an attacker can send requests to any internal service exposed within the network, potentially including databases, internal APIs, or other sensitive systems. Successful exploitation could lead to unauthorized data access, modification, or even complete compromise of internal infrastructure. The lack of authentication required for exploitation significantly broadens the attack surface and increases the potential for widespread impact.
This vulnerability was publicly disclosed on 2024-05-10. A proof-of-concept demonstrating the SSRF vulnerability is available on GitHub. The vulnerability's ease of exploitation and lack of authentication requirements suggest a medium probability of exploitation (EPSS score pending). No active campaigns have been publicly reported at the time of this writing.
Organizations utilizing @lobehub/chat in their applications, particularly those with internal services exposed via APIs, are at risk. Environments with weak network segmentation or inadequate access controls are especially vulnerable. Shared hosting environments where multiple users share the same server instance could also be impacted if one user's application is compromised.
• nodejs / server:
ps aux | grep @lobehub/chat
npm list @lobehub/chat• generic web:
curl -I https://your-chat-domain.com/api/proxy
# Look for unexpected internal IP addresses or hostnames in the response headersdisclosure
Exploit-Status
EPSS
72.72% (99% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-32964 is to immediately upgrade to @lobehub/chat version 0.150.6 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the @lobehub/chat component to only necessary destinations. Implement strict input validation on the /api/proxy endpoint to prevent malicious URL construction. Monitor network traffic for unusual outbound requests originating from the @lobehub/chat component. After upgrading, verify the fix by attempting to access an internal service through the /api/proxy endpoint; the request should be denied.
Aktualisieren Sie Lobe Chat auf Version 0.150.6 oder höher. Diese Version behebt die Server-Side Request Forgery (SSRF) Schwachstelle im Endpoint `/api/proxy`. Das Update verhindert, dass Angreifer unautorisierte Anfragen an interne Dienste stellen und sensible Informationen abrufen können.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-32964 is a critical SSRF vulnerability affecting @lobehub/chat versions before 0.150.6, allowing attackers to access internal services and leak sensitive information.
You are affected if you are using @lobehub/chat versions prior to 0.150.6. Immediately check your dependencies and upgrade if necessary.
Upgrade to @lobehub/chat version 0.150.6 or later. As a temporary workaround, restrict access to the /api/proxy endpoint using a WAF or proxy server.
While no confirmed active exploitation campaigns have been reported, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the official @lobehub/chat GitHub repository for updates and advisories related to CVE-2024-32964: https://github.com/lobehub/lobe-chat
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.