GoogleOSV:GHSA-P36R-QXGX-JQ2VLobe Chat API Key Leak
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Summary
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
Details
The attack process is described above.
PoC
Frontend:
- Pass basic authentication (SSO/Access Code).
- Set the Base URL to a private attack address.
- Configure the request method to be a server-side request.
- At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
- The LobeChat version allows setting the Base URL.
- There is no outbound traffic whitelist.
Impact
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
| CPE | Name | Operator | Version |
|---|---|---|---|
| @lobehub/chat | lt | 0.162.25 |
Related
5.7 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%