Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wMzZyLXF4Z3gtanEyds4AA9I3

Lobe Chat API Key Leak

Summary

If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.

Details

The attack process is described above.

image

PoC

Frontend:

  1. Pass basic authentication (SSO/Access Code).
  2. Set the Base URL to a private attack address.
  3. Configure the request method to be a server-side request.
  4. At the self-set attack address, retrieve the API Key information from the request headers.

Backend:

  1. The LobeChat version allows setting the Base URL.
  2. There is no outbound traffic whitelist.

Impact

All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.

Permalink: https://github.com/advisories/GHSA-p36r-qxgx-jq2v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMzZyLXF4Z3gtanEyds4AA9I3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago


CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-p36r-qxgx-jq2v, CVE-2024-37895
References: Repository: https://github.com/lobehub/lobe-chat
Blast Radius: 1.0

Affected Packages

npm:@lobehub/chat
Dependent packages: 0
Dependent repositories: 0
Downloads: 17,410 last month
Affected Version Ranges: < 0.162.25
Fixed in: 0.162.25
All affected versions: 0.1.6, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.28.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.40.4, 0.40.5, 0.40.6, 0.40.7, 0.41.0, 0.41.1, 0.41.2, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.43.0, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.45.0, 0.46.0, 0.46.1, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.53.0, 0.54.0, 0.54.1, 0.54.2, 0.54.3, 0.54.4, 0.55.0, 0.55.1, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.60.1, 0.60.2, 0.60.3, 0.60.4, 0.61.0, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.63.2, 0.63.3, 0.64.0, 0.64.1, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.68.0, 0.68.1, 0.69.0, 0.69.1, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.71.0, 0.71.1, 0.72.0, 0.72.1, 0.72.2, 0.72.3, 0.72.4, 0.73.0, 0.74.0, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.77.0, 0.77.1, 0.77.2, 0.78.0, 0.78.1, 0.79.0, 0.79.1, 0.79.2, 0.79.3, 0.79.4, 0.79.5, 0.79.6, 0.79.7, 0.79.8, 0.80.0, 0.80.1, 0.80.2, 0.81.0, 0.82.1, 0.82.2, 0.82.3, 0.82.4, 0.82.5, 0.82.6, 0.82.7, 0.82.8, 0.82.9, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.7, 0.83.8, 0.83.9, 0.83.10, 0.84.0, 0.85.0, 0.85.1, 0.85.2, 0.85.3, 0.86.0, 0.86.1, 0.86.2, 0.86.3, 0.86.4, 0.86.5, 0.87.0, 0.88.0, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.89.5, 0.89.6, 0.89.7, 0.89.8, 0.89.9, 0.89.10, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.94.5, 0.95.0, 0.95.1, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.96.5, 0.96.6, 0.96.7, 0.96.8, 0.96.9, 0.97.0, 0.97.1, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.99.0, 0.99.1, 0.100.0, 0.100.1, 0.100.2, 0.100.3, 0.100.4, 0.100.5, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.102.4, 0.103.0, 0.103.1, 0.104.0, 0.105.0, 0.105.1, 0.105.2, 0.106.0, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5, 0.107.6, 0.107.7, 0.107.8, 0.107.9, 0.107.10, 0.107.11, 0.107.12, 0.107.13, 0.107.14, 0.107.15, 0.107.16, 0.108.0, 0.109.0, 0.109.1, 0.110.0, 0.110.1, 0.110.2, 0.110.3, 0.110.4, 0.110.5, 0.110.6, 0.110.7, 0.110.8, 0.110.9, 0.110.10, 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.111.4, 0.111.5, 0.111.6, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.114.1, 0.114.2, 0.114.3, 0.114.4, 0.114.5, 0.114.6, 0.114.7, 0.114.8, 0.114.9, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.115.5, 0.115.6, 0.115.7, 0.115.8, 0.115.9, 0.115.10, 0.115.11, 0.115.12, 0.115.13, 0.116.0, 0.116.1, 0.116.2, 0.116.3, 0.116.4, 0.116.5, 0.117.0, 0.117.1, 0.117.2, 0.117.3, 0.117.4, 0.117.5, 0.118.0, 0.118.1, 0.118.2, 0.118.3, 0.118.4, 0.118.5, 0.118.6, 0.118.7, 0.118.8, 0.118.9, 0.118.10, 0.119.0, 0.119.1, 0.119.2, 0.119.3, 0.119.4, 0.119.5, 0.119.6, 0.119.7, 0.119.8, 0.119.9, 0.119.10, 0.119.11, 0.119.12, 0.119.13, 0.120.0, 0.120.1, 0.120.2, 0.120.3, 0.120.4, 0.120.5, 0.120.6, 0.121.0, 0.121.1, 0.121.2, 0.121.3, 0.121.4, 0.122.0, 0.122.1, 0.122.2, 0.122.3, 0.122.4, 0.122.5, 0.122.6, 0.122.7, 0.122.8, 0.122.9, 0.123.0, 0.123.1, 0.123.2, 0.123.3, 0.123.4, 0.124.0, 0.124.1, 0.124.2, 0.124.3, 0.125.0, 0.126.0, 0.126.1, 0.126.2, 0.126.3, 0.126.4, 0.126.5, 0.127.0, 0.127.1, 0.127.2, 0.128.0, 0.128.1, 0.128.2, 0.128.3, 0.128.4, 0.128.5, 0.128.6, 0.128.7, 0.128.8, 0.128.9, 0.128.10, 0.129.0, 0.129.1, 0.129.2, 0.129.3, 0.129.4, 0.129.5, 0.129.6, 0.130.0, 0.130.1, 0.130.2, 0.130.3, 0.130.4, 0.130.5, 0.130.6, 0.130.7, 0.131.0, 0.132.0, 0.132.1, 0.132.2, 0.133.0, 0.133.1, 0.133.2, 0.133.3, 0.133.4, 0.133.5, 0.134.0, 0.134.1, 0.135.0, 0.135.1, 0.135.2, 0.135.3, 0.135.4, 0.136.0, 0.137.0, 0.138.0, 0.138.1, 0.138.2, 0.139.0, 0.139.1, 0.139.2, 0.140.0, 0.140.1, 0.141.0, 0.141.1, 0.141.2, 0.142.0, 0.142.1, 0.142.2, 0.142.3, 0.142.4, 0.142.5, 0.142.6, 0.142.7, 0.142.8, 0.142.9, 0.143.0, 0.144.0, 0.144.1, 0.145.0, 0.145.1, 0.145.2, 0.145.3, 0.145.4, 0.145.5, 0.145.6, 0.145.7, 0.145.8, 0.145.9, 0.145.10, 0.145.11, 0.145.12, 0.145.13, 0.146.0, 0.146.1, 0.146.2, 0.147.0, 0.147.1, 0.147.2, 0.147.3, 0.147.4, 0.147.5, 0.147.6, 0.147.7, 0.147.8, 0.147.9, 0.147.10, 0.147.11, 0.147.12, 0.147.13, 0.147.14, 0.147.15, 0.147.16, 0.147.17, 0.147.18, 0.147.19, 0.147.20, 0.147.21, 0.147.22, 0.148.0, 0.148.1, 0.148.2, 0.148.3, 0.148.4, 0.148.5, 0.148.6, 0.148.7, 0.148.8, 0.148.9, 0.148.10, 0.149.0, 0.149.1, 0.149.2, 0.149.3, 0.149.4, 0.149.5, 0.149.6, 0.150.0, 0.150.1, 0.150.2, 0.150.3, 0.150.4, 0.150.5, 0.150.6, 0.150.7, 0.150.8, 0.150.9, 0.150.10, 0.151.0, 0.151.1, 0.151.2, 0.151.3, 0.151.4, 0.151.5, 0.151.6, 0.151.7, 0.151.8, 0.151.9, 0.151.10, 0.151.11, 0.152.0, 0.152.1, 0.152.2, 0.152.3, 0.152.4, 0.152.5, 0.152.6, 0.152.7, 0.152.8, 0.152.9, 0.152.10, 0.152.11, 0.152.12, 0.153.0, 0.153.1, 0.154.0, 0.154.1, 0.154.2, 0.154.3, 0.154.4, 0.154.5, 0.154.6, 0.154.7, 0.155.0, 0.155.1, 0.155.2, 0.155.3, 0.155.4, 0.155.5, 0.155.6, 0.155.7, 0.155.8, 0.155.9, 0.156.0, 0.156.1, 0.156.2, 0.157.0, 0.157.1, 0.157.2, 0.158.0, 0.158.1, 0.158.2, 0.159.0, 0.159.1, 0.159.2, 0.159.3, 0.159.4, 0.159.5, 0.159.6, 0.159.7, 0.159.8, 0.159.9, 0.159.10, 0.159.11, 0.159.12, 0.160.0, 0.160.1, 0.160.2, 0.160.3, 0.160.4, 0.160.5, 0.160.6, 0.160.7, 0.160.8, 0.161.0, 0.161.1, 0.161.2, 0.161.3, 0.161.4, 0.161.5, 0.161.6, 0.161.7, 0.161.8, 0.161.9, 0.161.10, 0.161.11, 0.161.12, 0.161.13, 0.161.14, 0.161.15, 0.161.16, 0.161.17, 0.161.18, 0.161.19, 0.161.20, 0.161.21, 0.161.22, 0.161.23, 0.161.24, 0.161.25, 0.162.0, 0.162.1, 0.162.2, 0.162.3, 0.162.4, 0.162.5, 0.162.6, 0.162.7, 0.162.8, 0.162.9, 0.162.10, 0.162.11, 0.162.12, 0.162.13, 0.162.14, 0.162.15, 0.162.16, 0.162.17, 0.162.18, 0.162.19, 0.162.20, 0.162.21, 0.162.22, 0.162.23, 0.162.24
All unaffected versions: 0.162.25, 0.163.0, 0.164.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.12.19, 1.12.20, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.14.12, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.15.8, 1.15.9, 1.15.10, 1.15.11, 1.15.12, 1.15.13, 1.15.14, 1.15.15, 1.15.16, 1.15.17, 1.15.18, 1.15.19, 1.15.20, 1.15.21, 1.15.22, 1.15.23, 1.15.24, 1.15.25, 1.15.26, 1.15.27, 1.15.28, 1.15.29, 1.15.30, 1.15.31, 1.15.32, 1.15.33, 1.15.34, 1.15.35, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.16.9, 1.16.10, 1.16.11, 1.16.12, 1.16.13, 1.16.14, 1.17.0, 1.17.1, 1.17.2, 1.17.3