CVE-2025-59417
BaseFortify
Publication date: 2025-09-18
Last updated on: 2025-09-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lobehub | lobe_chat | to 1.129.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in Lobe Chat versions prior to 1.129.4. It occurs when chat messages containing certain server responses with lobeArtifact nodes of type image/svg+xml are rendered using a component that dangerously sets inner HTML, allowing malicious SVG content to execute scripts. This can be exploited by anyone able to inject content into chat messages, potentially leading to remote code execution on the user's machine.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the user's machine if exploited. This means an attacker who can inject malicious content into chat messages could execute arbitrary code, potentially compromising the user's system, stealing data, or performing unauthorized actions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Lobe Chat to version 1.129.4 or later, as this version contains the fix for the cross-site scripting vulnerability. Additionally, restrict or monitor any parties capable of injecting content into chat messages, such as hosting malicious pages, compromised MCP servers, or tool integrations, to prevent exploitation.