@lobehub/chat
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @lobehub/chatpage 1 of 1
- CVE-2024-24566MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.122.42024-01-31
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins …
- CVE-2024-32964CRITICALCVSS 9.0EG 9.0✓ Fixed in 0.150.62024-05-14
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. …
- CVE-2024-32965HIGHCVSS 8.1EG 8.1✓ Fixed in 1.19.132024-11-26
Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and le…
- CVE-2024-37895MEDIUMCVSS 5.7EG 5.7✓ Fixed in 0.162.252024-06-17
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on th…
- CVE-2024-47066CRITICALCVSS 9.0EG 9.0✓ Fixed in 1.19.132024-09-23
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection implemented in `src/app/api/proxy/route.ts` does not consider redirect and could be bypassed when attacker…
- CVE-2025-62505LOWCVSS 3.0EG 3.0✓ Fixed in 1.136.22025-10-17
LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery (SSRF) in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array t…
- CVE-2026-23522LOWCVSS 3.7EG 3.72026-01-19
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `us…
- CVE-2026-23733MEDIUMCVSS 6.4EG 9.62026-01-18
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the applicati…
- CVE-2026-23835NONECVSS 0.0EG 0.0✓ Fixed in 1.143.32026-01-30
LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the req…
Check whether @lobehub/chat is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @lobehub/chat CVEs against the assets you own.
Start Free Scan →