CVE-2024-37895: Lobe Chat API Key Leak

June 17, 2024

If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.

References

github.com/advisories/GHSA-p36r-qxgx-jq2v
github.com/lobehub/lobe-chat
github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v
nvd.nist.gov/vuln/detail/CVE-2024-37895

Detect and mitigate CVE-2024-37895 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →