CVE-2025-59426: lobe-chat has an Open Redirect
(updated )
- It can force users to redirect to untrusted external domains, leading to subsequent attacks such as phishing, credential harvesting, and session fixation.
- It can disrupt the OAuth/OIDC flow user experience by redirecting users to malicious domains disguised as legitimate pages (even though this path doesn’t directly include tokens, it can be exploited for social engineering attacks through redirect chains).
- The impact can be amplified when redirect chains are combined with other vulnerabilities such as CSP bypass or cache poisoning.
References
- github.com/advisories/GHSA-xph5-278p-26qx
- github.com/lobehub/lobe-chat
- github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts
- github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445
- github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
- nvd.nist.gov/vuln/detail/CVE-2025-59426
Code Behaviors & Features
Detect and mitigate CVE-2025-59426 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →