Description

Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-* headers to the origin as-is, or where the origin trusts them without validation, an attacker can inject an arbitrary host and trigger an open redirect that sends users to a malicious domain. This issue has been patched in version 1.130.1.

INFO

Published Date :

2025-09-25T14:00:09.629Z

Last Modified :

2025-09-25T14:18:27.175Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59426 vulnerability.

Vendors Products
Lobehub
  • Lobe Chat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59426.

URL Resource
https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127 cve-icon cve-icon
https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445 cve-icon cve-icon
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact