AI Threat Alert

CVE-2024-32965: Lobe Chat: pre-auth SSRF leaks OpenAI API keys

HIGH PoC AVAILABLE CISA: TRACK*
Published November 26, 2024
CISO Take

Any internet-exposed Lobe Chat instance below v1.19.13 allows unauthenticated attackers to scan your internal network and steal the OpenAI API keys stored in JWT auth headers — no login required. Patch to 1.19.13 immediately and rotate all API keys that may have been exposed. If patching is delayed, block external access or strip the X-Lobe-Chat-Auth header at the reverse proxy level.

What is the risk?

High risk. CVSS 8.6 reflects the trifecta: trivial exploitation (no auth, no interaction), high confidentiality impact, and lateral movement potential into internal infrastructure. The OpenAI API key exposure compounds the risk significantly — attackers gain not only SSRF pivot capability to reach internal services but also direct access to your LLM API budget and any data flowing through it. Cloud deployments face elevated exposure due to accessible instance metadata endpoints.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
lobe_chat No patch

Do you use lobe_chat? You're affected.

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
23.7%
chance of exploitation in 30 days
Higher than 98% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 24%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I Low
A Low

What should I do?

5 steps

  1. PATCH

    Upgrade to Lobe Chat ≥1.19.13 immediately — the fix is available and the advisory confirms no workarounds exist for older versions.

  2. ROTATE

    Revoke and regenerate all OpenAI API keys configured in affected instances; audit OpenAI usage logs for anomalous spend or unusual request origins.

  3. NETWORK

    Apply egress filtering to block outbound requests from the app server to RFC1918 ranges (10/8, 172.16/12, 192.168/16), loopback (127/8), and cloud metadata IPs (169.254.169.254, 100.64.0.0/10).

  4. DETECT

    Alert on HTTP responses from internal IPs appearing in application logs; monitor for modified or structurally anomalous X-Lobe-Chat-Auth headers.

  5. WAF

    Deploy SSRF-specific rules blocking internal destination addresses in any user-controlled proxy or URL parameters.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass API Framework AML.T0006 AML.T0034 AML.T0040 AML.T0049 AML.T0055 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.4 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI system oversight
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-32965?

Any internet-exposed Lobe Chat instance below v1.19.13 allows unauthenticated attackers to scan your internal network and steal the OpenAI API keys stored in JWT auth headers — no login required. Patch to 1.19.13 immediately and rotate all API keys that may have been exposed. If patching is delayed, block external access or strip the X-Lobe-Chat-Auth header at the reverse proxy level.

Is CVE-2024-32965 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-32965, increasing the risk of exploitation.

How to fix CVE-2024-32965?

1. PATCH: Upgrade to Lobe Chat ≥1.19.13 immediately — the fix is available and the advisory confirms no workarounds exist for older versions. 2. ROTATE: Revoke and regenerate all OpenAI API keys configured in affected instances; audit OpenAI usage logs for anomalous spend or unusual request origins. 3. NETWORK: Apply egress filtering to block outbound requests from the app server to RFC1918 ranges (10/8, 172.16/12, 192.168/16), loopback (127/8), and cloud metadata IPs (169.254.169.254, 100.64.0.0/10). 4. DETECT: Alert on HTTP responses from internal IPs appearing in application logs; monitor for modified or structurally anomalous X-Lobe-Chat-Auth headers. 5. WAF: Deploy SSRF-specific rules blocking internal destination addresses in any user-controlled proxy or URL parameters.

What systems are affected by CVE-2024-32965?

This vulnerability affects the following AI/ML architecture patterns: LLM chat applications, AI API proxy services, self-hosted AI assistants, internal developer AI tooling.

What is the CVSS score for CVE-2024-32965?

CVE-2024-32965 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 23.72%.

What is the AI security impact?

Affected AI Architectures

LLM chat applicationsAI API proxy servicesself-hosted AI assistantsinternal developer AI tooling

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, can be modified to scan an internal network in the target lobe-web environment. This issue has been addressed in release version 1.19.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An unauthenticated attacker discovers an internet-exposed Lobe Chat instance. They craft a POST request to the chat API with a modified X-Lobe-Chat-Auth JWT where the proxy field is replaced with http://169.254.169.254/latest/meta-data/ (AWS IMDS endpoint). Lobe Chat's backend forwards the request server-side and returns cloud IAM credentials in the response — full account takeover potential in one unauthenticated request. In parallel, the attacker decodes any intercepted legitimate JWT tokens to extract the embedded OpenAI API key, immediately usable for high-volume LLM queries billed to the victim or resold. With internal connectivity established, the attacker pivots to enumerate databases, internal APIs, or service meshes not otherwise reachable from the internet.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

Timeline

Published
November 26, 2024
Last Modified
September 23, 2025
First Seen
November 26, 2024

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed