CVE-2024-32964

nvd nist nuclei

Published: May 14, 2024Modified: Sep 30, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Exploitability: 2.3 / Impact: 6.0

Source: security-advisories@github.com (Secondary)

Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

Affected (1)

Products: Lobehub: Lobe Chat

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lobehub Lobe Chat	Before 0.150.6

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37

Source: security-advisories@github.com

Patch

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.