Homepage

@lobehub/chat@1.15.16 vulnerabilities

Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.

  • latest version

    1.81.4

  • latest non vulnerable version

    1.81.4

  • first published

    1 years ago

  • latest version published

    14 hours ago

  • licenses detected

  • View chat package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @lobehub/chat package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Server-side Request Forgery (SSRF)

    @lobehub/chat is a Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the X-Lobe-Chat-Auth header. An attacker can construct malicious requests to internal network services and leak sensitive information by manipulating the proxy address and OpenAI API Key within the JWT token without requiring user authentication.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade @lobehub/chat to version 1.19.13 or higher.

    <1.19.13
    Go back to all versions of this package