CVE-2025-59426
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lobehub | lobe_chat | to 1.130.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an open redirect issue in the Lobe Chat open-source AI chat framework prior to version 1.130.1. The problem arises because the OIDC redirect handling logic constructs the final redirect URL's host and protocol based on client-supplied headers like X-Forwarded-Host, Host, and X-Forwarded-Proto without proper validation. If a reverse proxy forwards these headers without validation or the origin server trusts them blindly, an attacker can inject arbitrary host values. This allows the attacker to redirect users to malicious external domains, potentially enabling phishing or session hijacking attacks. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to force users to be redirected to untrusted, malicious external websites. This can lead to phishing attacks, credential harvesting, session fixation, and disruption of OAuth/OIDC authentication flows. Although the vulnerability does not directly expose tokens, attackers can exploit the open redirect to trick users into visiting harmful sites, especially when combined with other vulnerabilities such as Content Security Policy bypass or cache poisoning. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the application improperly trusts and uses the X-Forwarded-Host, Host, and X-Forwarded-Proto headers to construct redirect URLs. A practical approach is to send HTTP requests with manipulated X-Forwarded-Host and X-Forwarded-Proto headers to see if the server redirects to an attacker-controlled domain. For example, using curl, you can run a command similar to: curl -v -H "X-Forwarded-Host: attacker.com" -H "X-Forwarded-Proto: https" https://your-lobe-chat-instance/oidc/consent to check if the redirect location points to the injected host. If the server redirects to the attacker.com domain, the vulnerability is present. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the lobe-chat project to version 1.130.1 or later, where the vulnerability has been patched. The fix involves proper validation and sanitization of redirect URLs in the OIDC flow, ensuring that redirect hosts are strictly checked against allowed hosts to prevent open redirect attacks. If upgrading immediately is not possible, ensure that your reverse proxy does not forward client-supplied X-Forwarded-* headers without validation, or configure the origin server to not trust these headers blindly. [1, 2]