Plattform
nodejs
Komponente
@lobehub/chat
Behoben in
1.19.14
1.19.13
CVE-2024-47066 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component. This flaw allows attackers to bypass SSRF protections by manipulating redirect URLs, potentially gaining access to internal resources and private network segments. The vulnerability impacts versions of @lobehub/chat prior to 1.19.13 and can be resolved by upgrading to the patched version.
The SSRF vulnerability in @lobehub/chat allows an attacker to craft a malicious URL that, after redirection, targets internal resources. This could include accessing sensitive data stored on internal servers, interacting with internal APIs, or even scanning the internal network for other vulnerable services. Successful exploitation could lead to unauthorized data disclosure, privilege escalation, or complete compromise of the underlying system. The ability to bypass SSRF protections significantly expands the attack surface, making this a high-severity risk. The redirect bypass technique is similar to previously observed SSRF exploitation patterns where attackers leverage HTTP redirects to circumvent security controls.
CVE-2024-47066 was publicly disclosed on September 23, 2024. A proof-of-concept (PoC) demonstrating the vulnerability is publicly available, increasing the likelihood of exploitation. The vulnerability's severity is rated as CRITICAL (CVSS score 9.0), indicating a high probability of exploitation. It is not currently listed on the CISA KEV catalog, but its ease of exploitation warrants close monitoring. Active campaigns targeting this vulnerability are possible given the public PoC.
Organizations deploying @lobehub/chat in production environments, particularly those that rely on it for proxying external requests, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's application.
• nodejs / server:
grep -r 'https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts' . • generic web:
curl -I <lobehub/chat endpoint> | grep 'Location:'disclosure
poc
patch
Exploit-Status
EPSS
5.78% (90% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47066 is to immediately upgrade the @lobehub/chat component to version 1.19.13 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious redirect URLs. Specifically, look for patterns involving multiple redirects or redirects to internal IP addresses. Additionally, carefully review and restrict the allowed domains and protocols for the proxy functionality within @lobehub/chat to prevent unintended external connections. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious redirect URL and verifying that the request is blocked.
Aktualisieren Sie Lobe Chat auf Version 1.19.13 oder höher. Diese Version enthält eine Behebung für die Server-Side Request Forgery (SSRF)-Schwachstelle. Das Update mildert das Risiko, dass ein Angreifer über bösartige Weiterleitungen auf interne Ressourcen zugreifen kann.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47066 is a critical SSRF vulnerability in the @lobehub/chat component, allowing attackers to bypass SSRF protections and access internal resources.
You are affected if you are using a version of @lobehub/chat prior to 1.19.13.
Upgrade to version 1.19.13 or later. Consider implementing a WAF to filter malicious URLs as an interim measure.
While not confirmed, the availability of a public PoC increases the likelihood of exploitation, so proactive mitigation is recommended.
Refer to the official GitHub repository for @lobehub/chat for updates and advisories: https://github.com/lobehub/lobe-chat
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.