Improper Access Control Affecting @lobehub/chat package, versions <0.122.4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LOBEHUBCHAT-6227580
- published 5 Feb 2024
- disclosed 31 Jan 2024
- credit dastaj
Introduced: 31 Jan 2024
CVE-2024-24566 Open this link in a new tabHow to fix?
Upgrade @lobehub/chat
to version 0.122.4 or higher.
Overview
@lobehub/chat is a Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.
Affected versions of this package are vulnerable to Improper Access Control via the ACCESS_CODE
option. An attacker can access plugins without proper authorization by bypassing the password protection mechanism.
Note:
This is only exploitable if the application is deployed with the ACCESS_CODE
option.