CVE-2024-37895

Name of the Vulnerable Software and Affected Versions Lobe Chat versions prior to 0.162.25

Description The issue allows an attacker to obtain the real backend API Key if they can successfully authenticate through SSO/Access Code. This is achieved by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. The attack process involves passing basic authentication, setting the Base URL to a private attack address, configuring the request method to be a server-side request, and retrieving the API Key information from the request headers at the self-set attack address.

Recommendations For versions prior to 0.162.25, upgrade to version 0.162.25 or later to address the issue. As a temporary workaround, consider restricting the ability to modify the base URL on the frontend to prevent attackers from setting up a server-side request to obtain the API Key. Additionally, configuring an outbound traffic whitelist on the backend can help minimize the risk of exploitation.