AI Threat Alert AI Threat Alert

CVE-2024-32965: Lobe Chat: pre-auth SSRF leaks OpenAI API keys

HIGH PoC AVAILABLE CISA: TRACK*
Published November 26, 2024
CISO Take

Any internet-exposed Lobe Chat instance below v1.19.13 allows unauthenticated attackers to scan your internal network and steal the OpenAI API keys stored in JWT auth headers — no login required. Patch to 1.19.13 immediately and rotate all API keys that may have been exposed. If patching is delayed, block external access or strip the X-Lobe-Chat-Auth header at the reverse proxy level.

Risk Assessment

High risk. CVSS 8.6 reflects the trifecta: trivial exploitation (no auth, no interaction), high confidentiality impact, and lateral movement potential into internal infrastructure. The OpenAI API key exposure compounds the risk significantly — attackers gain not only SSRF pivot capability to reach internal services but also direct access to your LLM API budget and any data flowing through it. Cloud deployments face elevated exposure due to accessible instance metadata endpoints.

Affected Systems

Package Ecosystem Vulnerable Range Patched
lobe_chat No patch

Do you use lobe_chat? You're affected.

Severity & Risk

CVSS 3.1
8.6 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I Low
A Low

Recommended Action

5 steps

  1. PATCH

    Upgrade to Lobe Chat ≥1.19.13 immediately — the fix is available and the advisory confirms no workarounds exist for older versions.

  2. ROTATE

    Revoke and regenerate all OpenAI API keys configured in affected instances; audit OpenAI usage logs for anomalous spend or unusual request origins.

  3. NETWORK

    Apply egress filtering to block outbound requests from the app server to RFC1918 ranges (10/8, 172.16/12, 192.168/16), loopback (127/8), and cloud metadata IPs (169.254.169.254, 100.64.0.0/10).

  4. DETECT

    Alert on HTTP responses from internal IPs appearing in application logs; monitor for modified or structurally anomalous X-Lobe-Chat-Auth headers.

  5. WAF

    Deploy SSRF-specific rules blocking internal destination addresses in any user-controlled proxy or URL parameters.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass API Framework AML.T0006 AML.T0034 AML.T0040 AML.T0049 AML.T0055 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.4 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI system oversight
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-32965?

Any internet-exposed Lobe Chat instance below v1.19.13 allows unauthenticated attackers to scan your internal network and steal the OpenAI API keys stored in JWT auth headers — no login required. Patch to 1.19.13 immediately and rotate all API keys that may have been exposed. If patching is delayed, block external access or strip the X-Lobe-Chat-Auth header at the reverse proxy level.

Is CVE-2024-32965 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-32965, increasing the risk of exploitation.

How to fix CVE-2024-32965?

1. PATCH: Upgrade to Lobe Chat ≥1.19.13 immediately — the fix is available and the advisory confirms no workarounds exist for older versions. 2. ROTATE: Revoke and regenerate all OpenAI API keys configured in affected instances; audit OpenAI usage logs for anomalous spend or unusual request origins. 3. NETWORK: Apply egress filtering to block outbound requests from the app server to RFC1918 ranges (10/8, 172.16/12, 192.168/16), loopback (127/8), and cloud metadata IPs (169.254.169.254, 100.64.0.0/10). 4. DETECT: Alert on HTTP responses from internal IPs appearing in application logs; monitor for modified or structurally anomalous X-Lobe-Chat-Auth headers. 5. WAF: Deploy SSRF-specific rules blocking internal destination addresses in any user-controlled proxy or URL parameters.

What systems are affected by CVE-2024-32965?

This vulnerability affects the following AI/ML architecture patterns: LLM chat applications, AI API proxy services, self-hosted AI assistants, internal developer AI tooling.

What is the CVSS score for CVE-2024-32965?

CVE-2024-32965 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, can be modified to scan an internal network in the target lobe-web environment. This issue has been addressed in release version 1.19.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An unauthenticated attacker discovers an internet-exposed Lobe Chat instance. They craft a POST request to the chat API with a modified X-Lobe-Chat-Auth JWT where the proxy field is replaced with http://169.254.169.254/latest/meta-data/ (AWS IMDS endpoint). Lobe Chat's backend forwards the request server-side and returns cloud IAM credentials in the response — full account takeover potential in one unauthenticated request. In parallel, the attacker decodes any intercepted legitimate JWT tokens to extract the embedded OpenAI API key, immediately usable for high-volume LLM queries billed to the victim or resold. With internal connectivity established, the attacker pivots to enumerate databases, internal APIs, or service meshes not otherwise reachable from the internet.

Weaknesses (CWE)

CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

Timeline

Published
November 26, 2024
Last Modified
September 23, 2025
First Seen
November 26, 2024

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed