CVE-2025-59417

Name of the Vulnerable Software and Affected Versions Lobe Chat versions prior to 1.129.4

Description Lobe Chat, an open-source artificial intelligence chat framework, contains a cross-site scripting (XSS) issue in how it handles chat messages. Specifically, when a server response includes a lobeArtifact of type image/svg+xml, the application renders it using dangerouslySetInnerHTML, which can lead to XSS attacks. Parties capable of injecting content into chat messages – including malicious pages, compromised MCP servers, or tool integrations – can exploit this issue. This can potentially escalate to remote code execution on the user’s machine.

Recommendations Update Lobe Chat to version 1.129.4 or later.