Plattform
nodejs
Komponente
@lobehub/chat
Behoben in
1.136.3
1.136.2
CVE-2025-62505 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component. This flaw allows an attacker to manipulate the application into making HTTP requests to arbitrary URLs, potentially exposing internal resources or sensitive data. The vulnerability affects versions prior to 1.136.2 and has been published on 2025-10-17. A fix is available in version 1.136.2.
The SSRF vulnerability in @lobehub/chat arises from insufficient validation of URLs provided by the client within the tools.search.crawlPages tRPC endpoint. Specifically, when a client sends an array of URLs and specifies the 'naive' implementation, the server directly issues HTTP requests to those URLs without proper checks. This lack of validation allows an attacker to craft malicious URL arrays, potentially targeting internal network resources (e.g., 127.0.0.1, localhost, private IP ranges) or metadata endpoints (e.g., 169.254.169.254). Successful exploitation could lead to unauthorized access to internal services, data exfiltration, or even potential denial-of-service if the attacker can trigger resource-intensive requests.
The vulnerability's impact is limited by the application's architecture and the sensitivity of internal resources. It is not currently listed on KEV or EPSS. Given the SSRF nature and the lack of immediate mitigation options beyond upgrading, the probability of exploitation is considered medium. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability was published on 2025-10-17.
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62505 is to upgrade to version 1.136.2 or later of the @lobehub/chat component. This version includes the necessary validation to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound HTTP requests and block those targeting internal or metadata endpoints. Specifically, configure the WAF to deny requests to IP ranges like 127.0.0.0/8, 169.254.0.0/16, and 10.0.0.0/8. After upgrading, confirm the fix by attempting to trigger the tools.search.crawlPages endpoint with a URL pointing to an internal resource; the request should be blocked.
Actualice LobeChat a la versión 1.136.2 o superior. Esta versión corrige la vulnerabilidad SSRF en el módulo de web fetch nativo. No existen soluciones alternativas conocidas, por lo que la actualización es la única forma de mitigar el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62505 is a Server-Side Request Forgery (SSRF) vulnerability in the @lobehub/chat component, allowing attackers to make HTTP requests to arbitrary URLs. This can expose internal resources.
You are affected if you are using @lobehub/chat versions prior to 1.136.2. Assess your dependencies to determine if you are vulnerable.
Upgrade to version 1.136.2 or later of @lobehub/chat. As a temporary workaround, implement a WAF to block outbound requests to internal IPs.
There are currently no reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the @lobehub/chat project's release notes and security advisories on their official repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.