CVE-2025-59426
📋 TL;DR
This CVE describes an open redirect vulnerability in Lobe Chat's OIDC implementation. Attackers can manipulate X-Forwarded-* headers to redirect users to malicious domains during authentication flows. This affects Lobe Chat deployments behind reverse proxies that forward untrusted headers without validation.
💻 Affected Systems
- Lobe Chat
📦 What is this software?
Lobe Chat by Lobehub
⚠️ Risk & Real-World Impact
Worst Case
Users could be redirected to phishing sites during OIDC authentication, potentially leading to credential theft or session hijacking.
Likely Case
Attackers could redirect users to malicious sites for phishing or malware distribution during authentication flows.
If Mitigated
With proper header validation at the reverse proxy level, the vulnerability would be blocked before reaching the application.
🎯 Exploit Status
Exploitation requires the ability to send HTTP requests with manipulated headers to a vulnerable Lobe Chat instance behind a misconfigured reverse proxy.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.130.1
Vendor Advisory: https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
Restart Required: No
Instructions:
1. Update Lobe Chat to version 1.130.1 or later. 2. Verify the update by checking the version. 3. No restart required as this is a web application.
🔧 Temporary Workarounds
Configure reverse proxy to strip or validate X-Forwarded-* headers
allConfigure your reverse proxy (nginx, Apache, etc.) to strip or validate X-Forwarded-Host and X-Forwarded-Proto headers before forwarding to Lobe Chat.
# Example nginx configuration to strip headers
proxy_set_header X-Forwarded-Host "";
proxy_set_header X-Forwarded-Proto "";
🧯 If You Can't Patch
- Configure reverse proxies to strip or validate X-Forwarded-* headers from untrusted sources
- Implement WAF rules to detect and block open redirect attempts
🔍 How to Verify
Check if Vulnerable:
Check if running Lobe Chat version earlier than 1.130.1 and deployed behind a reverse proxy that forwards X-Forwarded-* headers.Check Version:
Check the application's version in the UI or via package.json file: cat package.json | grep versionVerify Fix Applied:
Verify the application is running version 1.130.1 or later and test that manipulated X-Forwarded-* headers no longer cause redirects to external domains.📡 Detection & Monitoring
Log Indicators:
- Unusual redirects during OIDC flows
- Requests with manipulated X-Forwarded-* headers
Network Indicators:
- Redirects to unexpected external domains during authentication
SIEM Query:
web_requests WHERE (http_user_agent CONTAINS 'LobeChat' OR url_path CONTAINS '/oidc/') AND (http_referer CONTAINS 'malicious-domain' OR redirect_url CONTAINS 'external-domain')🔗 References
- https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127
- https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
- https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
