CNNVD-202509-3988 Information
CNNVD ID
CNNVD-202509-3988
Related CVE
- CNNVD Published: 2025-09-25
Description (Chinese)
Lobe Chat是LobeHub开源的一个开源、高性能的聊天机器人框架。 Lobe Chat 1.130.1之前版本存在安全漏洞,该漏洞源于OIDC重定向处理逻辑基于未验证的X-Forwarded-Host或Host标头以及X-Forwarded-Proto值构造重定向URL,可能导致开放重定向攻击。
Description (English)
Lobe Chat is an open source, high-performance chat robotic framework for the LobeHub open source. A security loophole in the pre-Lobe Chat 1.130.1 version stems from the fact that the ODS re-directional processing logic is based on unverified X-Forwarded-Host or Host headers and that the X-Forwarded-Proto tectonic re-directed URL may lead to an open re-directive attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
LobeHub
Published
2025-09-25
Last Modified
2026-02-24
References
https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127 https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445 https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
Patch
https://github.com/lobehub/lobe-chat/releases
Share on: