Platform
nodejs
Component
@lobehub/chat
Fixed in
1.19.14
1.19.13
CVE-2024-32965 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in @lobehub/chat versions before 1.19.13. This flaw allows unauthenticated attackers to craft malicious requests, potentially accessing internal resources and leaking sensitive data. The vulnerability is exploitable by manipulating the proxy address within the OpenAI API Key settings, and a fix is available in version 1.19.13.
The SSRF vulnerability in @lobehub/chat poses a significant risk because it bypasses authentication controls. An attacker can leverage this to send requests to internal services that are not directly accessible from the outside world. This could involve accessing sensitive data stored on internal servers, interacting with internal APIs, or even triggering actions on other systems within the network. The potential blast radius extends to any internal resource accessible via HTTP or HTTPS, making it crucial to address this vulnerability promptly. The ability to bypass authentication significantly increases the impact, as it removes a common barrier to entry for attackers.
This vulnerability was publicly disclosed on 2024-11-26. There are currently no reports of active exploitation campaigns targeting this specific vulnerability. A public proof-of-concept (PoC) is available, demonstrating the ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.1 (HIGH) reflects the potential impact and ease of exploitation.
Exploit Status
EPSS
0.16% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-32965 is to immediately upgrade @lobehub/chat to version 1.19.13 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) to filter outbound requests and block those targeting internal IP addresses or sensitive endpoints. Additionally, restrict network access to the @lobehub/chat instance to only authorized users and systems. Monitor logs for unusual outbound requests originating from the application, specifically looking for requests to internal IP addresses. No specific Sigma or YARA rules are readily available, but custom rules can be created to detect requests to internal networks.
Update Lobe Chat to version 1.19.13 or higher. This version fixes the SSRF (Server Side Request Forgery) vulnerability that allows attackers to make unauthorized requests and access sensitive information. The update is the only known solution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32965 is a Server-Side Request Forgery vulnerability in @lobehub/chat versions before 1.19.13, allowing attackers to access internal resources without authentication.
If you are using @lobehub/chat versions prior to 1.19.13, you are potentially affected by this SSRF vulnerability.
Upgrade @lobehub/chat to version 1.19.13 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While there are no confirmed reports of active exploitation, a public proof-of-concept exists, making exploitation possible.
Refer to the @lobehub/chat project's release notes and security advisories for the latest information on CVE-2024-32965.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.