CVE-2024-32965
CVSS 3.1 Score 8.1 of 10 (high)
Details
Summary
CVE-2024-32965 is a serious security vulnerability affecting versions of Lobe Chat prior to 1.19.13. This open-source AI chat framework contains an unauthorized Server-Side Request Forgery (SSRF) flaw. An attacker can exploit this vulnerability without requiring login credentials and manipulate malicious requests, potentially targeting intranet services and leaking sensitive information. The attacker can modify the jwt token header X-Lobe-Chat-Auth, containing a stored proxy address and OpenAI API Key, to scan internal networks within the target lobe-web environment. To mitigate this risk, users must upgrade to version 1.19.13, as there are currently no known workarounds for this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.