CVE-2025-59417

Exploit

EPSS 0.09%
Veröffentlicht 18.09.2025 14:38:55
Zuletzt bearbeitet 25.09.2025 15:32:15
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. In lobe-chat, when the response from the server is like <lobeArtifact identifier="ai-new-interpretation" ...> , it will be rendered with the lobeArtifact node, instead of the plain text. However, when the type of the lobeArtifact is image/svg+xml , it will be rendered as the SVGRender component, which internally uses dangerouslySetInnerHTML to set the content of the svg, resulting in XSS attack. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability. This vulnerability is fixed in 1.129.4.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lobehub ≫ Lobe Chat Version < 1.129.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.251

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.8	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-m79r-r765-5f9j

Vendor Advisory

Exploit

https://github.com/lobehub/lobe-chat/commit/9f044edd07ce102fe9f4b2fb47c62191c36da05c

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-59417

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59417

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59417

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-59417