Vulnerability Description
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lobehub | Lobe Chat | < 0.150.6 |
Related Weaknesses (CWE)
References
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20ccPatch
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphcExploitVendor Advisory
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20ccPatch
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphcExploitVendor Advisory
FAQ
What is CVE-2024-32964?
CVE-2024-32964 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vul...
How severe is CVE-2024-32964?
CVE-2024-32964 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-32964?
Check the references section above for vendor advisories and patch information. Affected products include: Lobehub Lobe Chat.