CVE-2024-32965

CVSS 3.1 Score 8.1 of 10 (high)

Details

Published Nov 26, 2024
CWE ID 918

Summary

CVE-2024-32965 is a serious security vulnerability affecting versions of Lobe Chat prior to 1.19.13. This open-source AI chat framework contains an unauthorized Server-Side Request Forgery (SSRF) flaw. An attacker can exploit this vulnerability without requiring login credentials and manipulate malicious requests, potentially targeting intranet services and leaking sensitive information. The attacker can modify the jwt token header X-Lobe-Chat-Auth, containing a stored proxy address and OpenAI API Key, to scan internal networks within the target lobe-web environment. To mitigate this risk, users must upgrade to version 1.19.13, as there are currently no known workarounds for this vulnerability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share