Headline
GHSA-p36r-qxgx-jq2v: Lobe Chat API Key Leak
Summary
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
Details
The attack process is described above.
PoC
Frontend:
- Pass basic authentication (SSO/Access Code).
- Set the Base URL to a private attack address.
- Configure the request method to be a server-side request.
- At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
- The LobeChat version allows setting the Base URL.
- There is no outbound traffic whitelist.
Impact
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
Summary
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
Details
The attack process is described above.
PoC
Frontend:
- Pass basic authentication (SSO/Access Code).
- Set the Base URL to a private attack address.
- Configure the request method to be a server-side request.
- At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
- The LobeChat version allows setting the Base URL.
- There is no outbound traffic whitelist.
Impact
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
References
- GHSA-p36r-qxgx-jq2v
- https://nvd.nist.gov/vuln/detail/CVE-2024-37895