CVE-2025-59426

Name of the Vulnerable Software and Affected Versions Lobe Chat versions prior to 1.130.1

Description Lobe Chat, an open-source artificial intelligence chat framework, has an issue in its OIDC redirect handling logic. The logic builds the redirect URL’s host and protocol using the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. If a reverse proxy forwards client-supplied X-Forwarded-* headers without validation, or if the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect to a malicious domain.

Recommendations Update to Lobe Chat version 1.130.1 or later.