CVE-2024-32965

Name of the Vulnerable Software and Affected Versions lobe-chat versions prior to 1.19.13

Description Lobe Chat is an open-source, AI chat framework. The issue allows an attacker to construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth stored proxy address and OpenAI API Key can be modified to scan an internal network in the target lobe-web environment.

Recommendations For versions prior to 1.19.13, upgrade to version 1.19.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the X-Lobe-Chat-Auth header and the OpenAI API Key to minimize the risk of exploitation. Avoid using the X-Lobe-Chat-Auth header and the OpenAI API Key in the affected API endpoint until the issue is resolved.