CVE-2025-59426

low-risk
Published 2025-09-25

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1.

Do I need to act?

-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Lobe Chat

Affected Vendors

Lobehub

References (4)

Product https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74e...
Patch https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965d...
Exploit https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
Exploit https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal