1  info:
 2    name: LobeChat
 3    cve: CVE-2024-37895
 4    summary: Lobe Chat is vulnerable to an API Key leak due to improper handling of base URL modifications.
 5    details: |
 6      An attacker who can authenticate through SSO/Access Code can obtain the real backend API Key.
 7      This is achieved by modifying the base URL to an attacker-controlled URL on the frontend and
 8      setting up a server-side request. The LobeChat version allows setting the Base URL, and there
 9      is no outbound traffic whitelist, enabling the attacker to retrieve API Key information from
10      request headers at their self-set attack address.
11    cvss: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
12    severity: MEDIUM
13    security_advise: |
14      1. Upgrade LobeChat to version 0.162.25 or later.
15      2. Implement outbound traffic whitelisting to restrict API key transmission to trusted domains only.
16      3. Review and strengthen authentication mechanisms to prevent unauthorized base URL modifications.
17  rule: version > "0" && version < "0.162.25"
18  references:
19    - https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v
20    - https://nvd.nist.gov/vuln/detail/CVE-2024-37895
21    - https://github.com/lobehub/lobe-chat