Plattform
nodejs
Komponente
@lobehub/chat
Behoben in
1.19.14
1.19.13
CVE-2024-32965 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in @lobehub/chat versions before 1.19.13. This flaw allows unauthenticated attackers to craft malicious requests, potentially accessing internal resources and leaking sensitive data. The vulnerability is exploitable by manipulating the proxy address within the OpenAI API Key settings, and a fix is available in version 1.19.13.
The SSRF vulnerability in @lobehub/chat poses a significant risk because it bypasses authentication controls. An attacker can leverage this to send requests to internal services that are not directly accessible from the outside world. This could involve accessing sensitive data stored on internal servers, interacting with internal APIs, or even triggering actions on other systems within the network. The potential blast radius extends to any internal resource accessible via HTTP or HTTPS, making it crucial to address this vulnerability promptly. The ability to bypass authentication significantly increases the impact, as it removes a common barrier to entry for attackers.
This vulnerability was publicly disclosed on 2024-11-26. There are currently no reports of active exploitation campaigns targeting this specific vulnerability. A public proof-of-concept (PoC) is available, demonstrating the ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.1 (HIGH) reflects the potential impact and ease of exploitation.
Organizations using @lobehub/chat for local LLM experimentation or development are at risk, particularly those with sensitive internal services accessible via HTTP or HTTPS. Shared hosting environments where multiple users share the same @lobehub/chat instance are also at increased risk, as a compromised user could potentially exploit the SSRF vulnerability to access other users' data or internal resources.
• nodejs / server:
ps aux | grep @lobehub/chat• nodejs / server:
npm list @lobehub/chat• generic web: Review access logs for outbound requests to internal IP addresses (e.g., 127.0.0.1, 192.168.x.x, 10.x.x.x) originating from the @lobehub/chat application. • generic web: Monitor response headers for unexpected content or error messages indicating SSRF attempts.
disclosure
Exploit-Status
EPSS
0.16% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-32965 is to immediately upgrade @lobehub/chat to version 1.19.13 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) to filter outbound requests and block those targeting internal IP addresses or sensitive endpoints. Additionally, restrict network access to the @lobehub/chat instance to only authorized users and systems. Monitor logs for unusual outbound requests originating from the application, specifically looking for requests to internal IP addresses. No specific Sigma or YARA rules are readily available, but custom rules can be created to detect requests to internal networks.
Aktualisieren Sie Lobe Chat auf Version 1.19.13 oder höher. Diese Version behebt die SSRF-Schwachstelle, die es Angreifern ermöglicht, unautorisierte Anfragen zu stellen und auf sensible Informationen zuzugreifen. Das Update ist die einzige bekannte Lösung.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-32965 is a Server-Side Request Forgery vulnerability in @lobehub/chat versions before 1.19.13, allowing attackers to access internal resources without authentication.
If you are using @lobehub/chat versions prior to 1.19.13, you are potentially affected by this SSRF vulnerability.
Upgrade @lobehub/chat to version 1.19.13 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While there are no confirmed reports of active exploitation, a public proof-of-concept exists, making exploitation possible.
Refer to the @lobehub/chat project's release notes and security advisories for the latest information on CVE-2024-32965.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.