Moderate severityNVD Advisory· Published Jun 17, 2024· Updated Aug 2, 2024
API Key Leak in lobe-chat
CVE-2024-37895
Description
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@lobehub/chatnpm | < 0.162.25 | 0.162.25 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-p36r-qxgx-jq2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37895ghsaADVISORY
- github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.