प्लेटफ़ॉर्म
nodejs
घटक
@lobehub/chat
में ठीक किया गया
1.19.14
1.19.13
CVE-2024-47066 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in the @lobehub/chat component. This flaw allows attackers to bypass the implemented SSRF protection mechanism by crafting malicious URLs that redirect to internal resources, potentially exposing sensitive data or enabling unauthorized access. The vulnerability affects versions of @lobehub/chat prior to 1.19.13 and a patch is available.
The SSRF vulnerability in @lobehub/chat poses a significant risk. An attacker can exploit this flaw to send requests to internal resources that are otherwise inaccessible from the outside world. This could include accessing private network services, loopback addresses, or even internal APIs. Successful exploitation could lead to data exfiltration, unauthorized access to sensitive systems, and potentially even complete compromise of the underlying infrastructure. The ability to redirect requests allows bypassing of intended security controls, expanding the attack surface considerably.
CVE-2024-47066 was publicly disclosed on September 23, 2024. A proof-of-concept (PoC) demonstrating the vulnerability has been published, increasing the likelihood of exploitation. The vulnerability's severity is rated as CRITICAL (CVSS score of 9). It is not currently listed on the CISA KEV catalog, but its ease of exploitation warrants close monitoring. Active campaigns targeting this vulnerability are possible given the availability of a PoC.
Organizations deploying @lobehub/chat in production environments, particularly those that rely on it for proxying external requests, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's application.
• nodejs / server:
grep -r 'https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts' . • generic web:
curl -I <lobehub/chat endpoint> | grep 'Location:'disclosure
poc
patch
एक्सप्लॉइट स्थिति
EPSS
5.78% (90% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-47066 is to upgrade to version 1.19.13 or later of the @lobehub/chat component. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter out potentially malicious URLs containing redirects. Specifically, configure the WAF to block requests containing redirect headers or suspicious URL patterns. Thoroughly review and validate all external URLs before processing them within the application. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked.
Actualice Lobe Chat a la versión 1.19.13 o superior. Esta versión contiene una corrección para la vulnerabilidad de Server-Side Request Forgery (SSRF). La actualización mitigará el riesgo de que un atacante pueda acceder a recursos internos a través de redirecciones maliciosas.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-47066 is a critical SSRF vulnerability in the @lobehub/chat component, allowing attackers to bypass SSRF protections and access internal resources.
You are affected if you are using a version of @lobehub/chat prior to 1.19.13.
Upgrade to version 1.19.13 or later. Consider implementing a WAF to filter malicious URLs as an interim measure.
While not confirmed, the availability of a public PoC increases the likelihood of exploitation, so proactive mitigation is recommended.
Refer to the official GitHub repository for @lobehub/chat for updates and advisories: https://github.com/lobehub/lobe-chat
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।