3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62505

GHSA ID

GHSA-fgx4-p8xf-qhp9

EPSS Score

CWE

CWE-918

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62505

CVE-2025-62505: Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module

Vulnerability Description

Vulnerability Overview

When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to internal networks (127.0.0.1, localhost, private ranges) or metadata endpoints (169.254.169.254).
Flow: client input (urls, impls) → service invocation in the tRPC router → the service passes the URLs to Crawler.crawl → the Crawler prioritizes the user-specified impls (naive) → the naive implementation performs a server-side fetch(url) as-is (SSRF) → the server collects responses from internal resources.
In the dev environment, authentication can be bypassed using the lobe-auth-dev-backend-api: 1 header (production requires a valid token). In the PoC, this was used to successfully retrieve the internal API at localhost:8889 from the server side.

Vulnerable Code

https://github.com/lobehub/lobe-chat/blob/d942a635b36a231156c60d824afa573af8032572/packages/web-crawler/src/crawImpl/naive.ts#L39-L45

PoC

PoC Description

In dev mode, we made a single tRPC call using the auth-bypass header lobe-auth-dev-backend-api: 1. Since tRPC requires the body to be in the form {"json": { ... }}, we placed urls and impls: ["naive"] inside json to induce the server to request the internal URL (http://localhost:8889/internel-api).
The response follows tRPC’s wrapping structure, so the actual body of the internal API is included as a string (JSON string) at result.data.json.results[0].data.content. We post-process it with jq for readability.

curl Example

curl -sS -X POST 'http://localhost:3010/trpc/tools/search.crawlPages' \
  -H 'Content-Type: application/json' \
  -H 'lobe-auth-dev-backend-api: 1' \
  --data '{"json":{"urls":["http://localhost:8889/internal-api"],"impls":["naive"]}}' | jq -r '.result.data.json.results[0].data.content' | jq .

Impact

Since the server performs outbound requests to internal networks, localhost, and metadata endpoints, an attacker can abuse the server’s network position to access internal resources (internal APIs, management ports, cloud metadata, etc.).
As a result, this can lead to exposure of internal system information, leakage of authentication tokens/secret keys (e.g., IMDSv1/v2), misuse of internal admin interfaces, and provide a foothold for further lateral movement.
By leveraging user-supplied impls to force the unfiltered naive implementation, SSRF defenses—such as blocking private/metadata IPs, DNS re-validation/re-resolution, and redirect restrictions—can be bypassed.

(GitHub Advisory)

3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62505

GHSA ID

GHSA-fgx4-p8xf-qhp9

EPSS Score

CWE

CWE-918

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@lobehub/chat	npm	<= 1.136.1	1.136.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis identified a Server-Side Request Forgery (SSRF) flaw in the Lobe Chat application. The root cause is the naive crawl implementation in the @lobehub/web-crawler package, which is triggered via the tools.search.crawlPages tRPC endpoint when a user specifies "impls": ["naive"]. The commit 8d59583dca16f218b99213d641733d8ba77f182c provides clear evidence of the vulnerability. The patch for this vulnerability replaces the native fetch call with ssrfSafeFetch inside the naive function in packages/web-crawler/src/crawImpl/naive.ts. This change directly points to the naive function as the location of the vulnerability. During exploitation, a profiler would show this naive function being executed as it processes the malicious URL, making it the key runtime indicator for this SSRF vulnerability.

Vulnerable functions

naive

packages/web-crawler/src/crawImpl/naive.ts

The `naive` function is an asynchronous function that implements the `CrawlImpl` type. It was using the standard `fetch` API to retrieve content from a user-provided URL without any validation or sanitization. This allows an attacker to craft a request to internal network resources or metadata services, leading to a Server-Side Request Forgery (SSRF) vulnerability. The patch replaces the insecure `fetch` call with `ssrfSafeFetch` to mitigate this issue.

WAF Protection Rules

WAF Rule

### Vuln*r**ility **s*ription --- Vuln*r**ility Ov*rvi*w - W**n t** *li*nt s*n*s *n *r*itr*ry URL *rr*y *n* impl: ["n*iv*"] to t** tRP* *n*point tools.s**r**.*r*wlP***s, t** s*rv*r issu*s out*oun* *TTP r*qu*sts *ir**tly to t*os* URLs. T**r* is no

Reasoning

T** vuln*r**ility *n*lysis i**nti*i** * S*rv*r-Si** R*qu*st *or**ry (SSR*) *l*w in t** Lo** ***t *ppli**tion. T** root **us* is t** `n*iv*` *r*wl impl*m*nt*tion in t** `@lo***u*/w**-*r*wl*r` p**k***, w*i** is tri***r** vi* t** `tools.s**r**.*r*wlP***

3

Basic Information

Concerned about an active attack path?

CVE-2025-62505: Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module

Vulnerability Description

PoC

Impact

3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI