Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Lobe Chat Desktop Vulnerable to Remote Code Execution via XSS in Chat Messages
Vulnerability Description
Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the server is like <lobeArtifact identifier="ai-new-interpretation" ...> , it will be rendered with the lobeArtifact node, instead of the plain text. However, when the type of the lobeArtifact is image/svg+xml , it will be rendered as the SVGRender component, which internally uses dangerouslySetInnerHTML to set the content of the svg, resulting in XSS attack. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability. This vulnerability is fixed in 1.129.4.
CVSS Information
N/A
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Lobe Chat 跨站脚本漏洞
Vulnerability Description
Lobe Chat是LobeHub开源的一个开源、高性能的聊天机器人框架。 Lobe Chat 1.129.4之前版本存在跨站脚本漏洞,该漏洞源于SVGRender组件使用dangerouslySetInnerHTML处理SVG内容,可能导致跨站脚本攻击和远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A