CVE-2024-32964
📋 TL;DR
CVE-2024-32964 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Lobe Chat's /api/proxy endpoint. Attackers can exploit this to make the server send requests to internal network services, potentially accessing sensitive information or attacking internal systems. All deployments running Lobe Chat versions prior to 0.150.6 are affected.
💻 Affected Systems
- Lobe Chat
📦 What is this software?
Lobe Chat by Lobehub
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration from internal systems, lateral movement within the network, and potential credential theft from metadata services.
Likely Case
Information disclosure from internal services, scanning of internal network resources, and potential access to cloud metadata services containing credentials.
If Mitigated
Limited impact with proper network segmentation and egress filtering, though some information disclosure may still occur.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests to the /api/proxy endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.150.6
Vendor Advisory: https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
Restart Required: Yes
Instructions:
1. Update Lobe Chat to version 0.150.6 or later. 2. Restart the Lobe Chat service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable /api/proxy endpoint
allTemporarily disable the vulnerable proxy endpoint until patching is possible
Modify application configuration to remove or disable the /api/proxy route
Network egress filtering
allImplement strict outbound firewall rules to limit what internal resources the server can access
Configure firewall to block outbound connections from Lobe Chat server to internal networks except required services
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Lobe Chat from sensitive internal services
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if Lobe Chat version is below 0.150.6 and if the /api/proxy endpoint is accessible without authenticationCheck Version:
Check package.json or application logs for version informationVerify Fix Applied:
Confirm Lobe Chat version is 0.150.6 or higher and test that the /api/proxy endpoint properly validates URLs📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/proxy endpoint
- Outbound connections from Lobe Chat to internal IP ranges
- HTTP requests with unusual target URLs in proxy logs
Network Indicators:
- Unusual outbound traffic patterns from Lobe Chat server
- Requests to internal IP addresses from the application server
SIEM Query:
source="lobe-chat-logs" AND (uri_path="/api/proxy" AND NOT (target_url CONTAINS "allowed-domain.com"))🔗 References
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
- https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
