Base Score

CRITICAL9

CVE-2024-32964

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMay 14, 2024, 15:37

Affected Versions(1)

@lobehub/chat(npm)

Introduced0

Fixed0.150.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
@lobehub/chat(npm)	0	0.150.6	N/A

Weakness Type (CWE):CWE-918

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

HIGH

References

Base Score

CRITICAL9

Weakness Type (CWE):CWE-918

CVSS Metrics

Base Score

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

HIGH