AVID-2026-R1474

Description

lobe-chat /api/proxy endpoint Server-Side Request Forgery vulnerability (CVE-2024-32964)

Details

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

Reason for inclusion in AVID: CVE-2024-32964 describes an unauthenticated Server-Side Request Forgery in lobe-chat’s /api/proxy endpoint. This affects a chatbot framework used to build AI chat systems, enabling potential access to intranet resources and data leakage. As a vulnerability in a software component commonly used in AI pipelines (deployment/serving of AI chat systems), it is a relevant software supply-chain issue for general-purpose AI systems. The CVE is clearly security-related with a high impact (SSRF, data leakage, potential RCE/Tampering via indirect effects). The report provides explicit details and references to confirm the vulnerability.

References

• NVD entry
• https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
• https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37

Affected or Relevant Artifacts

• Developer: lobehub
• Deployer: lobehub
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-05-10
• Version: 0.3.3
• AVID Entry