CVE-2024-37895
API Key Leak in lobe-chat
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issue has been addressed in version 0.162.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Lobe Chat es un framework de chat de IA/LLM de código abierto. En las versiones afectadas, si un atacante puede autenticarse exitosamente a través de SSO/Código de acceso, puede obtener la clave API de backend real modificando la URL base a su propia URL de ataque en la interfaz y configurando una solicitud del lado del servidor. Este problema se solucionó en la versión 0.162.25. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-10 CVE Reserved
- 2024-06-17 CVE Published
- 2024-06-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Lobehub Search vendor "Lobehub" | Lobe-chat Search vendor "Lobehub" for product "Lobe-chat" | < 0.162.25 Search vendor "Lobehub" for product "Lobe-chat" and version " < 0.162.25" | en |
Affected
| ||||||