प्लेटफ़ॉर्म
nodejs
घटक
@lobehub/chat
में ठीक किया गया
0.150.6
0.150.6
CVE-2024-32964 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component, specifically affecting versions before 0.150.6. This flaw allows attackers to craft malicious requests, bypassing authentication and potentially accessing internal services. The vulnerability is located in the /api/proxy endpoint, enabling unauthorized data retrieval and manipulation. A fix is available in version 0.150.6.
The SSRF vulnerability in @lobehub/chat poses a significant risk. Attackers can leverage this to bypass access controls and directly interact with internal services that are not intended to be publicly accessible. This could lead to the exposure of sensitive data, including API keys, database credentials, or other confidential information residing within the internal network. The /api/proxy endpoint acts as a conduit, allowing attackers to redirect requests to arbitrary internal resources. Successful exploitation could result in unauthorized data modification, system compromise, and potential lateral movement within the affected environment.
This vulnerability was publicly disclosed on 2024-05-10. A public proof-of-concept demonstrating the SSRF exploitation is available on GitHub. The EPSS score is likely to be medium, given the ease of exploitation and potential impact. No confirmed active exploitation campaigns have been reported at the time of this writing, but the availability of a public PoC increases the likelihood of future exploitation.
Organizations utilizing @lobehub/chat in their applications, particularly those with internal services exposed via APIs, are at risk. Environments with weak network segmentation or inadequate access controls are especially vulnerable. Shared hosting environments where multiple users share the same server instance could also be impacted if one user's application is compromised.
• nodejs / server:
ps aux | grep @lobehub/chat
npm list @lobehub/chat• generic web:
curl -I https://your-chat-domain.com/api/proxy
# Look for unexpected internal IP addresses or hostnames in the response headersdisclosure
एक्सप्लॉइट स्थिति
EPSS
72.72% (99% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-32964 is to immediately upgrade to @lobehub/chat version 0.150.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict access to the /api/proxy endpoint using a Web Application Firewall (WAF) or proxy server, allowing only trusted origins. Implement strict input validation on all requests to the /api/proxy endpoint to prevent malicious URL manipulation. Monitor network traffic for suspicious outbound requests originating from the @lobehub/chat component.
Lobe Chat को संस्करण 0.150.6 या उच्चतर में अपडेट करें। यह संस्करण `/api/proxy` एंडपॉइंट पर सर्वर-साइड रिक्वेस्ट फोर्जिंग (SSRF) भेद्यता को ठीक करता है। अपडेट करने से हमलावरों को आंतरिक सेवाओं पर अनधिकृत अनुरोध करने और संवेदनशील जानकारी तक पहुंचने से रोका जा सकेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-32964 is a critical SSRF vulnerability affecting @lobehub/chat versions before 0.150.6, allowing attackers to access internal services and leak sensitive information.
You are affected if you are using @lobehub/chat versions prior to 0.150.6. Immediately check your dependencies and upgrade if necessary.
Upgrade to @lobehub/chat version 0.150.6 or later. As a temporary workaround, restrict access to the /api/proxy endpoint using a WAF or proxy server.
While no confirmed active exploitation campaigns have been reported, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the official @lobehub/chat GitHub repository for updates and advisories related to CVE-2024-32964: https://github.com/lobehub/lobe-chat
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।