Platform
nodejs
Component
@lobehub/chat
Fixed in
1.19.14
1.19.13
CVE-2024-47066 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component. This flaw allows attackers to bypass the implemented SSRF protection mechanism by crafting malicious URLs that redirect to internal resources, potentially exposing sensitive data or enabling unauthorized access. The vulnerability affects versions of @lobehub/chat prior to 1.19.13 and a patch is available.
The SSRF vulnerability in @lobehub/chat poses a significant risk. An attacker can exploit this flaw to send requests to internal resources that are otherwise inaccessible from the outside world. This could include accessing private network services, loopback addresses, or even internal APIs. Successful exploitation could lead to data exfiltration, unauthorized access to sensitive systems, and potentially even complete compromise of the underlying infrastructure. The ability to redirect requests allows bypassing of intended security controls, expanding the attack surface considerably.
CVE-2024-47066 was publicly disclosed on September 23, 2024. A proof-of-concept (PoC) demonstrating the vulnerability has been published, increasing the likelihood of exploitation. The vulnerability's severity is rated as CRITICAL (CVSS score of 9). It is not currently listed on the CISA KEV catalog, but its ease of exploitation warrants close monitoring. Active campaigns targeting this vulnerability are possible given the availability of a PoC.
Exploit Status
EPSS
5.78% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-47066 is to upgrade to version 1.19.13 or later of the @lobehub/chat component. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter out potentially malicious URLs containing redirects. Specifically, configure the WAF to block requests containing redirect headers or suspicious URL patterns. Thoroughly review and validate all external URLs before processing them within the application. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Update Lobe Chat to version 1.19.13 or higher. This version contains a fix for the Server-Side Request Forgery (SSRF) vulnerability. The update will mitigate the risk of an attacker being able to access internal resources through malicious redirects.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47066 is a critical SSRF vulnerability in the @lobehub/chat component, allowing attackers to bypass SSRF protections and access internal resources.
You are affected if you are using a version of @lobehub/chat prior to 1.19.13.
Upgrade to version 1.19.13 or later. Consider implementing a WAF to filter malicious URLs as an interim measure.
While not confirmed, the availability of a public PoC increases the likelihood of exploitation, so proactive mitigation is recommended.
Refer to the official GitHub repository for @lobehub/chat for updates and advisories: https://github.com/lobehub/lobe-chat
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.